sheppy/no-secrets-athq-ansible
1
0
Fork 0
mirror of https://github.com/FAUSheppy/no-secrets-athq-ansible synced 2026-06-19 21:22:38 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

initial: no secrets

Browse Source
This commit is contained in:
Johnathen Sheppard
2024-02-12 17:01:18 +01:00
commit cf9efd55b5
186 changed files with 8697 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+8
View File
@@ -0,0 +1,8 @@
*.swp
ansible.log
files/icinga_master_hosts.conf
files/nsca_server.conf
files/async-icinga-config-dynamic.json
files/async-icinga-services-dynamic.conf
hosts.ini
files/atlantis-hub-content/
.gitkeep
View File
ansible-install.sh
+1
View File
@@ -0,0 +1 @@
ansible-galaxy collection install community.general
ansible.cfg
+3
View File
@@ -0,0 +1,3 @@
[defaults]
inventory = hosts.ini
log_path = ansible.log
files/COPYING_NSCA_NG
+63
View File
@@ -0,0 +1,63 @@
https://github.com/weiss/nsca-ng/blob/master/COPYING
Unless otherwise noted, all files distributed as part of NSCA-ng are covered
by the copyright and license statement below. Some files (outside the `src'
directory) are subject to different copyright and/or license terms, as
specified at the top of those files. However, all NSCA-ng code is believed
to be covered by terms which are at least as permissive as the following
license.
| Copyright (c) 2013 Holger Weiss <holger@weiss.in-berlin.de>
| All rights reserved.
|
| Redistribution and use in source and binary forms, with or without
| modification, are permitted provided that the following conditions are
| met:
|
| 1. Redistributions of source code must retain the above copyright notice,
| this list of conditions and the following disclaimer.
|
| 2. Redistributions in binary form must reproduce the above copyright
| notice, this list of conditions and the following disclaimer in the
| documentation and/or other materials provided with the distribution.
|
| THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
| IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
| THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
| PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
| CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
| EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
| PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
| PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
| LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
| NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
| SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
In addition to these copyright and license terms, binary redistributions may
be required to reproduce the following copyright notices, depending on which
source files are compiled. The above license statement applies to all of
them.
If any files in the `lib/ev' directory are used during compilation:
| Copyright (c) 2007-2018 Marc Alexander Lehmann <libev@schmorp.de>
| Copyright (c) 2011 Emanuele Giaquinta
If any files in the `lib/pidfile' directory are used during compilation:
| Copyright (c) 2005 Pawel Jakub Dawidek <pjd@FreeBSD.org>
| Copyright (c) 2007 Dag-Erling Coidan Smoergrav
If the file `lib/pidfile/flock.c' is used during compilation:
| Copyright (c) 2001 The NetBSD Foundation, Inc.
If any files in the `python' directory (except for `uthash.h') are used:
| Copyright (c) 2014 Alexander Golovko
If any files in the `perl' directory are used:
| Copyright (c) 2015 Matthias Bethke
Additional requirements may be imposed by external libraries.
files/check_dir_size_for_backup.py
+50
View File
@@ -0,0 +1,50 @@
#!/usr/bin/python3
import subprocess
import sys
import os
import argparse
import json
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Backup Dir Size helper")
parser.add_argument('PATH')
parser.add_argument('--save-new-size', action='store_const',
default=False, const=True)
args = parser.parse_args()
# check parameter #
if not args.PATH.replace("/", "").replace("-","").isalnum():
print("Illegal Path: {} (must be alphanum + /)".format(args.PATH))
sys.exit(1)
elif not args.PATH.startswith("/"):
print("Path mus be absolute ({})".format(args.PATH))
sys.exit(1)
elif not os.path.isdir(args.PATH):
print("Path does not exist ({}".format(args.PATH))
sys.exit(1)
savedir = "/opt/backup-info"
savepath = os.path.join(savedir, args.PATH.lstrip("/").replace("/", "-"))
currentSize = 0
if os.path.isfile(savepath):
with open(savepath) as f:
currentSize = int(f.read())
# check #
p = subprocess.run(["du", args.PATH], capture_output=True, encoding="utf-8")
size = int(p.stdout.split("\n")[-2].split("\t")[0])
if currentSize and currentSize == size:
result = { "changed" : False, "old" : currentSize, "new" : size }
else:
result = { "changed" : True, "old" : currentSize, "new" : size }
if args.save_new_size:
with open(savepath, "w") as f:
f.write(str(size))
# return result
print(json.dumps(result))
files/influx-repo.gpg
BIN
View File
Binary file not shown.
files/influxdb.list
+1
View File
@@ -0,0 +1 @@
deb [signed-by=/usr/share/keyrings/influx-repo.gpg] https://repos.influxdata.com/debian bullseye stable
files/nsca-ng
Executable
BIN
View File
Binary file not shown.
files/pynagsystemd.py
Executable
+106
View File
@@ -0,0 +1,106 @@
#!/usr/bin/python3
"""
You can redistribute it and/or modify it under the terms of the GNU General
Public License as published by the Free Software Foundation, either version 2
of the License.
Copyright Andrea Briganti a.k.a 'Kbyte'
"""
import io
import subprocess
import argparse
import nagiosplugin
class SystemdStatus(nagiosplugin.Resource):
name = 'SYSTEMD'
def probe(self):
# Execute systemctl --failed --no-legend and get output
try:
p = subprocess.Popen(['systemctl', '--failed', '--no-legend'],
stderr=subprocess.PIPE,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
pres, err = p.communicate()
except OSError as e:
raise nagiosplugin.CheckError(e)
if err:
raise nagiosplugin.CheckError(err)
if pres:
result = ""
for line in io.StringIO(pres.decode('utf-8')):
# format is DOT_SPECIA_CHAR name service failed ..
result = "%s %s" % (result, line.split(' ')[1])
return [nagiosplugin.Metric('systemd', (False, result), context='systemd')]
return [nagiosplugin.Metric('systemd', (True, None), context='systemd')]
class ServiceStatus(nagiosplugin.Resource):
name = 'SYSTEMD'
def __init__(self, *args, **kwargs):
self.service = kwargs.pop('service')
super(nagiosplugin.Resource, self).__init__(*args, **kwargs)
def probe(self):
# Execute systemctl is-active and get output
try:
p = subprocess.Popen(['systemctl', 'is-active', self.service],
stderr=subprocess.PIPE,
stdin=subprocess.PIPE,
stdout=subprocess.PIPE)
pres, err = p.communicate()
except OSError as e:
raise nagiosplugin.CheckError(e)
if err:
raise nagiosplugin.CheckError(err)
if pres:
result = ""
for line in io.StringIO(pres.decode('utf-8')):
result = "%s %s" % (result, line.split(' ')[0])
result = result.strip()
if result == "active":
return [nagiosplugin.Metric('systemd', (True, None), context='systemd')]
else:
return [nagiosplugin.Metric('systemd', (False, self.service), context='systemd')]
return [nagiosplugin.Metric('systemd', (False, "No Service given"), context='systemd')]
class SystemdContext(nagiosplugin.Context):
def __init__(self):
super(SystemdContext, self).__init__('systemd')
def evaluate(self, metric, resource):
value, output = metric.value
if value:
return self.result_cls(nagiosplugin.Ok, metric=metric)
else:
return self.result_cls(nagiosplugin.Critical, metric=metric, hint='failed units: %s' % output)
def main():
parser = argparse.ArgumentParser()
parser.add_argument("-s", "--service", type=str, dest="service", help="Name of the Service that is beeing tested")
args = parser.parse_args()
if args.service is None:
check = nagiosplugin.Check(
SystemdStatus(),
SystemdContext())
else:
check = nagiosplugin.Check(
ServiceStatus(service=args.service),
SystemdContext())
check.main()
if __name__ == '__main__':
main()
files/send_nsca
Executable
BIN
View File
Binary file not shown.
group_vars/all.yaml
+280
View File
@@ -0,0 +1,280 @@
---
checks:
extra_sheppy_pubkeys:
nsca_server: ""
ldap_server: ""
nsca_password: ""
RSYSLOG_SERVER: ""
influxdb_telegraf_password: ""
icinga_api_user: ""
icinga_api_pass: ""
icinga_api_url: "https://XXXXXXXXXXXXXXX:5665"
icinga_web_url: "https://icinga.atlantishq.de/"
event_dispatcher_host: dispatcher.atlantishq.de
event_dispatcher_proto: https
event_dispatcher_port: 443
event_dispatcher_address: "{{ event_dispatcher_proto }}://{{ event_dispatcher_host }}"
event_dispatcher_user: ""
event_dispatcher_pass: ""
ldap_password: ""
ldap_dc: "atlantishq"
ldap_org: "atlantishq de"
ldap_suffix: "dc=atlantishq,dc=de"
ldap_bind_dn: "cn=Manager,dc=atlantishq,dc=de"
ldap_user_dn: "ou=People,dc=atlantishq,dc=de"
ldap_group_dn: "ou=groups,dc=atlantishq,dc=de"
ldap_connection_url: ldap://192.168.122.112
ldap_connection_url_ext: "ldaps://ldap.atlantishq.de"
event_dispatcher_token: ""
extra_root_keys:
- "# no extra keys"
smtp_internal_host: mail.atlantishq.de
smtp_internal_host_port: 8025
smtp_service_user: ""
smtp_service_pass: ""
pki_domain: pki.atlantishq.de
SOUNDLIB_AWS_ACCESS_KEY_ID: ""
SOUNDLIB_AWS_SECRET_ACCESS_KEY: ""
SOUNDLIB_S3_ENDPOINT: ""
# gotify #
gotify_user: admin
gotify_password: ""
# overwritten in monitoring master group var
monitoring_master: false
async_icinga_static_services:
- { "name" : "service_names", "timeout" : "5h", "owner" : "sheppy", "token" : "" }
keycloak_admin_password: ""
keycloak_postgres_password: ""
keycloak_address: keycloak.atlantishq.de
harbor_http_secret: ""
harbor_core_secret: ""
harbor_jobservice_secret: ""
harbor_postgres_pass: ""
harbor_registry_user: harbor
harbor_registry_password: ""
harbor_admin_password: ""
keycloak_clients:
python-flask-picture-factory:
party_secret : "" # pwgen -s 16
client_id: z_images
client_secret: "" # pwgen -s 32
redirect_uris:
- "https://images.atlantishq.de/*"
- "https://images.athq.de/*"
- "https://images.potaris.de/*"
description: "Images Factory"
keycloak_id: "00000000-0000-0000-0000-000000000001"
groups: "images"
master_address: "https://images.atlantishq.de"
skips:
- "/m/"
- "/media/"
- "/image/"
- "/images/"
- "/picture/"
- "/pictures/"
simple-log-server:
party_secret : ""
client_id: z_sls
client_secret: ""
redirect_uris:
- "https://sls.atlantishq.de/*"
description: "Simple Log Server"
keycloak_id: "00000000-0000-0000-0000-000000000002"
groups: "monitoring"
master_address: "https://sls.atlantishq.de"
skips:
- "/submit"
soundlib-interface:
party_secret : ""
client_id: z_soundlib
client_secret: ""
redirect_uris:
- "https://sounds.atlantishq.de/*"
description: "Soundlib interface"
keycloak_id: "00000000-0000-0000-0000-000000000003"
groups: "soundlib"
master_address: "https://sounds.atlantishq.de"
skips:
pki:
party_secret : ""
client_id: z_hashicorp_vault
client_secret: ""
redirect_uris:
- "https://pki.atlantishq.de/*"
description: "PKI Vault"
keycloak_id: "00000000-0000-0000-0000-000000000004"
groups: "pki"
master_address: "https://pki.atlantishq.de"
skips:
cert-manager:
party_secret : ""
client_id: z_cert_manager
client_secret: ""
redirect_uris:
- "https://vpn.atlantishq.de/*"
description: "AtlantisHQ Certificate Manager"
keycloak_id: "00000000-0000-0000-0000-000000000005"
groups: "pki"
master_address: "https://vpn.atlantishq.de"
skips:
tmnf-replay-server:
party_secret : ""
client_id: z_trackmania
client_secret: ""
redirect_uris:
- "https://trackmania.atlantishq.de/*"
description: "AtlantisHQ Trackmania Replays"
keycloak_id: "00000000-0000-0000-0000-000000000006"
groups: "trackmania"
master_address: "https://trackmania.atlantishq.de"
skips:
- "/open-info"
atlantis-hub:
party_secret : ""
client_id: z_atlantishub
client_secret: ""
redirect_uris:
- "https://hub.atlantishq.de/*"
description: "AtlantisHQ Hub"
keycloak_id: "00000000-0000-0000-0000-000000000007"
groups:
master_address: "https://hub.atlantishq.de"
skips:
paperless:
party_secret : ""
client_id: z_paperless
client_secret: ""
redirect_uris:
- "https://paperless.atlantishq.de/*"
description: "AtlantisHQ Paperless Archiving"
keycloak_id: "00000000-0000-0000-0000-000000000008"
groups: "paperless"
master_address: "https://paperless.atlantishq.de"
skips:
icinga:
party_secret : ""
client_id: z_icinga
client_secret: ""
redirect_uris:
- "https://icinga.atlantishq.de/*"
description: "Icinga Web"
keycloak_id: "00000000-0000-0000-0000-000000000009"
groups: "monitoring,icinga"
master_address: "https://icinga.atlantishq.de"
skips:
grafana:
party_secret : ""
client_id: z_grafana
client_secret: ""
redirect_uris:
- "https://stats.atlantishq.de/*"
description: "Grafana"
keycloak_id: "00000000-0000-0000-0000-000000000010"
groups: "monitoring"
master_address: "https://stats.atlantishq.de"
skips:
async-icinga:
party_secret : ""
client_id: z_async_icinga
client_secret: ""
redirect_uris:
- "https://async-icinga.atlantishq.de/*"
description: "Icinga Web"
keycloak_id: "00000000-0000-0000-0000-000000000011"
groups: "monitoring,icinga"
master_address: "https://async-icinga.atlantishq.de"
skips:
- "/report"
hedgedoc:
party_secret : ""
client_id: z_hedgedoc
client_secret: ""
redirect_uris:
- "https://hedgedoc.atlantishq.de/*"
description: "Hedgedoc"
keycloak_id: "00000000-0000-0000-0000-000000000012"
groups: "monitoring"
master_address: "https://hedgedoc.atlantishq.de"
harbor:
party_secret: ""
client_id: z_harbor
client_secret: ""
redirect_uris:
- "https://harbor-registry.atlantishq.de/*"
description: "Harbor Registry"
keycloak_id: "00000000-0000-0000-0000-000000000013"
groups: "pki"
master_address: "https://harbor-registry.atlantishq.de"
atlantis-verify:
party_secret: ""
client_id: z_at_verify
client_secret: ""
redirect_uris:
- "https://verify.atlantishq.de/*"
description: "Atlantis Verification"
keycloak_id: "00000000-0000-0000-0000-000000000014"
groups:
master_address: "https://verify.atlantishq.de"
reactive-resume:
party_secret: ""
client_id: z_reactive_resume
client_secret: ""
redirect_uris:
- "https://resume.atlantishq.de/*"
description: "Reactive Resume"
keycloak_id: "00000000-0000-0000-0000-000000000015"
groups:
master_address: "https://resume.atlantishq.de"
skips:
- "/logo/light.svg"
money-balancer:
party_secret: ""
client_id: z_money_balancer
client_secret: ""
redirect_uris:
- "https://money-balancer.atlantishq.de/*"
description: "Money Balancer"
keycloak_id: "00000000-0000-0000-0000-000000000016"
groups:
master_address: "https://money-balancer.atlantishq.de"
atlantis-web-check:
party_secret: ""
client_id: z_web_check
client_secret: ""
redirect_uris:
- "https://smartchecks.atlantishq.de/*"
description: "SMART Web-Checks"
keycloak_id: "00000000-0000-0000-0000-000000000017"
groups:
master_address: "https://smartchecks.atlantishq.de"
group_vars/git.yaml
View File
group_vars/harbor-registry.yaml
+4
View File
@@ -0,0 +1,4 @@
harbor_version: v2.10.0
harbor_file: harbor-online-installer-{{ harbor_version }}.tgz
harbor_admin_password: ""
harbor_db_password: ""
group_vars/irc.yaml
+3
View File
@@ -0,0 +1,3 @@
---
checks :
- { user : sheppy, name : irc, cmd : "/bin/true"}
group_vars/kathi.yaml
+7
View File
@@ -0,0 +1,7 @@
extra_sheppy_pubkeys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/395VxgeExQUllcOw5n2U/6ZQoBznwNz136SLJd3B8rDUM6vFhJVIDIh3IKGCBttyIiDZtMw/XnMdxfm9/A4micFKcFnYc1/JF+clNXYRC6tX4jq8gOrDdQZkRQXrSpACt9Zm7yk7OYeVoBsOraZCfi8xnkbXiRnIi9u7HFYk01PVwbtEr+aG0PZxHBZZlng+dDi0b9DeJ115QBtW5IWBx9bwBo3utg1TcLIge5q76ioNX7B8r0aNylCOl3yw3ifui2mgiTGKe5utpl4vJV1UphUamTqFPEMm2wxFg3kppfXwdexKpoEoAR3sh/UjeKL59rs/ilzV7KIEGeOctGDI7cxEkQBsZNox2LAoVSOnNJC/TPVVYoLvJ41jYX9mlpK+AlgRdVvNZl9rR4rm06Gh7FP+UxSt/IOgZ8bW1hlbzYq18D9sT8VFxVHzxzbBtgioUnxCtnzJ61sLnQog8AyXCaqVoQ7KtyRXSUZsLpHFsDj2r3GojIMaHRG3ko7zQok= bekama
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbKTdJjGmXz4dWD21wnLBZXgI1hPBE1gaIW2DAraZFExmoamhYtLTGNv1w2caM22hRI3yk+5DYJHEdhYt3ws7b8ZnLJnjJr8LQj8q3RRfI5ixkO1IsHiO1QG9blaD01aQ7zLd7h9X0gk9wpkC0CR3Z9LsfW73Wkgs+b0ggVeyheX9CXFfCDmveoDKj/Rl1gBZAfFyEvhTiuh9TNVyMdo6haYRJNYXIj3yMWaFQY30Sdf1y+IVwUXsko/RZ8YA8lJ3eHPbs3tdmCgvprHefC051NzIducUuAwq1EVYnFfj6Vbp9QJDbgc1lHDinwr1Sw1C0a+3p+jip8atqPEkBpcqhqEYjq0hGZOUTSSetny7mtS4cK5WGZbwxejD9/eg0Vf60DAqkWN1zXWUQNNftcf1bPvCxqUl7nTjW01Bdyo5LTleAGOPmusOVRaCnu5YkL+g5RIhg97sumWwDfp2Tcr3cz5pRdox9QXDXafcSpSbcUPdqIl094GitkQExCZ91dY0= kathi@atlantisV2
extra_root_keys:
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/395VxgeExQUllcOw5n2U/6ZQoBznwNz136SLJd3B8rDUM6vFhJVIDIh3IKGCBttyIiDZtMw/XnMdxfm9/A4micFKcFnYc1/JF+clNXYRC6tX4jq8gOrDdQZkRQXrSpACt9Zm7yk7OYeVoBsOraZCfi8xnkbXiRnIi9u7HFYk01PVwbtEr+aG0PZxHBZZlng+dDi0b9DeJ115QBtW5IWBx9bwBo3utg1TcLIge5q76ioNX7B8r0aNylCOl3yw3ifui2mgiTGKe5utpl4vJV1UphUamTqFPEMm2wxFg3kppfXwdexKpoEoAR3sh/UjeKL59rs/ilzV7KIEGeOctGDI7cxEkQBsZNox2LAoVSOnNJC/TPVVYoLvJ41jYX9mlpK+AlgRdVvNZl9rR4rm06Gh7FP+UxSt/IOgZ8bW1hlbzYq18D9sT8VFxVHzxzbBtgioUnxCtnzJ61sLnQog8AyXCaqVoQ7KtyRXSUZsLpHFsDj2r3GojIMaHRG3ko7zQok= bekama
- ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCbKTdJjGmXz4dWD21wnLBZXgI1hPBE1gaIW2DAraZFExmoamhYtLTGNv1w2caM22hRI3yk+5DYJHEdhYt3ws7b8ZnLJnjJr8LQj8q3RRfI5ixkO1IsHiO1QG9blaD01aQ7zLd7h9X0gk9wpkC0CR3Z9LsfW73Wkgs+b0ggVeyheX9CXFfCDmveoDKj/Rl1gBZAfFyEvhTiuh9TNVyMdo6haYRJNYXIj3yMWaFQY30Sdf1y+IVwUXsko/RZ8YA8lJ3eHPbs3tdmCgvprHefC051NzIducUuAwq1EVYnFfj6Vbp9QJDbgc1lHDinwr1Sw1C0a+3p+jip8atqPEkBpcqhqEYjq0hGZOUTSSetny7mtS4cK5WGZbwxejD9/eg0Vf60DAqkWN1zXWUQNNftcf1bPvCxqUl7nTjW01Bdyo5LTleAGOPmusOVRaCnu5YkL+g5RIhg97sumWwDfp2Tcr3cz5pRdox9QXDXafcSpSbcUPdqIl094GitkQExCZ91dY0= kathi@atlantisV2
group_vars/mail.yaml
+3
View File
@@ -0,0 +1,3 @@
---
checks :
- { user : nobody, name : mail_queue, cmd : "/usr/lib/nagios/plugins/check_mailq -w 10 -c 20"}
group_vars/monitoring.yaml
+6
View File
@@ -0,0 +1,6 @@
monitoring_master: true
extra_internal_iptables_ports_allow:
- { "protocol" : "tcp", "port" : 8086, "comment" : "influx" }
- { "protocol" : "tcp", "port" : 514, "comment" : "rsyslog" }
- { "protocol" : "tcp", "port" : 5665, "comment" : "icinga-api" }
- { "protocol" : "tcp", "port" : 5668, "comment" : "nsca" }
group_vars/steam.yaml
+4
View File
@@ -0,0 +1,4 @@
---
checks :
- { user : sheppy, name : insurgency-1, cmd : "/etc/monitoring-tools/rcon-check.py -p 27015"}
- { user : sheppy, name : insurgency-2, cmd : "/etc/monitoring-tools/rcon-check.py -p 27016"}
group_vars/ths.yaml
+3
View File
@@ -0,0 +1,3 @@
---
checks :
- { user : sheppy, name : irc, cmd : ""}
group_vars/usermanagement.yaml
+7
View File
@@ -0,0 +1,7 @@
---
extra_internal_iptables_ports_allow:
- { "protocol" : "tcp", "port" : 389, "comment" : "ldap" }
- { "protocol" : "tcp", "port" : 22, "comment" : "ssh from backup" }
extra_sheppy_pubkeys: |
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDaABPy9h009vUQj+gewvhIO9kDpUBkkW5dGz6HsDxp6FLeZ0KOMTPZyRkwPHkC3Jee8vkTl2fFi7wjXhkWSpPe7H/RFdn6nHf5RSvM4aEwhkjD7E1lvf9lLRUXnISeFXFOdD3hpRXqT5yVP9O1S3Rk3b+i9HPlcw1vDmFHS5mZ+rXmxQSyHD8uuyCEL1Ri5IOz9XxycaJ/MHX2XaHWU+xgrQ2uvWrvhnibB3bhtf94GrHJQXRfjUc4nF3SG3937Fkdit5LozuDE3/mLoNN6PwXz13Z2acClpjiyOZQxpa2+TpwE5i2rWoZwsXv//yzohHbA30+qYSxJYQrYZ1XRyOSPFWSp3wwcuj8yMMqMJT2e75ZyWaHuoYuindOFW4VMR7pFppssnnbdLHvJGe5PZMSDxlyhUtkAK4p1nf2nEng3VjCBcn6UWK1po5DQmcLwkd0cQbWTLxHjH4sAtfyp7A8jsGLXrhWraMOOoU0JVkamZrq2BuSyaC5S7+KdvGCg3U= backupvm
group_vars/vpn.yaml
+9
View File
@@ -0,0 +1,9 @@
---
checks :
- { user : nobody, name : wireguard-darknet-rudi, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_rudi_darknet -w300,10% -c 1000,20%"}
- { user : nobody, name : wireguard-darknet-hase, cmd : "/usr/lib/nagios/plugins/check_ping -H fe80::2%wg_hase_darknet -w300,10% -c 1000,20%"}
# - { user : nobody, name : darknet-reachable, cmd : "/usr/lib/nagios/plugins/check_ping -H 10.100.100.100 -w300,10% -c 1000,20%"}
openvpn_management_password: ""
openvpn_management_passfile: mgnt-pass.txt
openvpn_management_port: 23000
group_vars/web1.yaml
+2
View File
@@ -0,0 +1,2 @@
extra_internal_iptables_ports_allow:
- { "protocol" : "tcp", "port" : 5004, "comment" : "signal-gateway" }
group_vars/zabbix.yaml
+2
View File
@@ -0,0 +1,2 @@
extra_internal_iptables_ports_allow:
- { "protocol" : "tcp", "port" : 10051, "comment" : "zabbix-server" }
playbook.yaml
+63
View File
@@ -0,0 +1,63 @@
---
- hosts: all
roles:
- { role : monitoring-client, tags : [ "monitoring", "monitoring-client", "client"] }
- { role : sshd-config, tags : [ "sshd" ] }
- { role : rsyslog, tags : [ "rsyslog" ] }
- { role : monitoring-influx, tags : [ "influx" ] }
- { role : base, tags : [ "base" ] }
- { role : zabbix-agent, tags : [ "zabbix-agent" ] }
- { role : iptables, tags : [ "iptables" ] }
- hosts: web1
roles:
- { role : web1, tags : [ "web1" ] }
- { role : media, tags : [ "media" ] }
- hosts: mail
roles:
- { role : mail, tags : [ "mail" ] }
- hosts: backup
roles:
- { role : backup-vm, tags : [ "backup" ] }
- hosts: kube1
roles:
- { role : docker-deployments, tags : [ "docker", "kube1" ] }
- hosts: usermanagement
roles:
- { role : usermanagement, tags : [ "users", "keycloak" ] }
- hosts: monitoring
roles:
- { role : monitoring-master, tags : [ "monitoring-master", "icinga", "grafana" ] }
- hosts: typo3-cms
roles:
- { role : typo3-cms, tags : [ "typo3" ] }
- hosts: paperless
roles:
- { role : paperless, tags : [ "paperless" ] }
- hosts: vault-pki
roles:
- { role : vault-pki, tags : [ "pki_master", "vault" ] }
- hosts: vpn
roles:
- { role : openvpn, tags : [ "openvpn", "vpn", "certificate-manager" ] }
- hosts: timetracking
roles:
- { role : timetracking, tags : [ "timetracking", "kamai" ] }
- hosts: harbor-registry
roles:
- { role : harbor-registry, tags : [ "harbor" ] }
- hosts: nextcloud ths
roles:
- { role: nextcloud, tags: ["nextcloud"] }
prometheus-adhoc.yaml
+11
View File
@@ -0,0 +1,11 @@
- name: Install Prometheus Node Exporter
hosts: prometheus
become: yes
tasks:
- name: Install Prometheus Node Exporter
import_role:
name: prometheus.prometheus.node_exporter
vars:
#node_exporter_basic_auth_users:
# prometheus: "toto"
node_exporter_web_telemetry_path: "/node-exporter"
roles/backup-vm/files/backup_priv_key
+38
View File
@@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA2gAT8vYdNPb1EI/oHsL4SDvZA6VAZJFuXRs+h7A8aehS3mdCjjEz
2ckZMDx5AtyXnvL5E5dnxYu8I14ZFkqT3ux/0RXZ+px3+UUrzOGhMIZIw+xNZb3/ZS0VF5
yEnhVxTnQ94aUV6k+clT/TtUt0ZN2/ovRz5XMNbw5hR0uZmfq15sUEshw/LrsghC9UYuSD
s/V8cnGifzB19l2h1lPsYK0Nrr1q74Z4mwd24bX/eBqxyUF0X41HOJxd0ht/d+xZHYreS6
M7gxN/5i6DTej8F89d2dmnApaY4sjmUMaWtvk6cBOYtq1qGcLF7//8s6IR2wN9PqmEsSWE
K2GdV0cjkjxVkqd8MHLo/MjDKjCU9nu+Wclmh7qGLop3ThVuFTEe6RaabLJ523Sx7yRnuT
2TEg8ZcoVLZACuKdZ39pxJ4N1YwgXJ+lFitaaOQ0JnC8JHdHEG1ky8R4x+LALX8qewPI7B
i164Vq2jDjqFNCVZGpma6tgbksmguUu/inbxgoN1AAAFiNBNJKrQTSSqAAAAB3NzaC1yc2
EAAAGBANoAE/L2HTT29RCP6B7C+Eg72QOlQGSRbl0bPoewPGnoUt5nQo4xM9nJGTA8eQLc
l57y+ROXZ8WLvCNeGRZKk97sf9EV2fqcd/lFK8zhoTCGSMPsTWW9/2UtFRechJ4VcU50Pe
GlFepPnJU/07VLdGTdv6L0c+VzDW8OYUdLmZn6tebFBLIcPy67IIQvVGLkg7P1fHJxon8w
dfZdodZT7GCtDa69au+GeJsHduG1/3gasclBdF+NRzicXdIbf3fsWR2K3kujO4MTf+Yug0
3o/BfPXdnZpwKWmOLI5lDGlrb5OnATmLatahnCxe///LOiEdsDfT6phLElhCthnVdHI5I8
VZKnfDBy6PzIwyowlPZ7vlnJZoe6hi6Kd04VbhUxHukWmmyyedt0se8kZ7k9kxIPGXKFS2
QArinWd/acSeDdWMIFyfpRYrWmjkNCZwvCR3RxBtZMvEeMfiwC1/KnsDyOwYteuFatow46
hTQlWRqZmurYG5LJoLlLv4p28YKDdQAAAAMBAAEAAAGAbms5r4eflZM83820SdiBf7zol+
Mc8ZOELh69lmbawt4NE1+EI5eiZr5oRrlqpdtr5PO224iF5FZ5zgQ8esD9kx2BRDtoNHsK
fbTekaD7TyPFOY+4SD9rXCjwlQwPVC8SPCW+rks7BXqbmjFBH4P/iZOUHIrrJR4YgNbsyP
ru60JE3oWOclTCX/4iYzHB8XFDkGRYS3NpVjkKluYoMfJCOVmOI6MHxhj7f7LRMVRI+OG0
iXbg5gEeQPtavjB1aR3JuajYIRaxbJUzKCgE4+yeljvObSdG9THUiuFOTEkXcdtYnPu3uy
d2LcBQzLJ0BY6YvIoI4OFV6lqRRBXMleUSKzHFgkHUuRAKyPtVrE38HV/X5qQeBlg89/7/
XuwZDq+A7fSm95uj85bmrUXBKBog/F31UW+1P3lZ7j/ZxmcPwcJTJvPTFOSweynimeSZB/
lwFJpiDhxJjlfpWF0GxgIHdsjD4CZgSpSKCh/kI954f4HnhWEXbs8quoGwgrjIElTFAAAA
wEbaLe1mPdp8LsvOTbWNiF9eT5pKO2pwkJPINJ20ylxwYaap0Xda79shdskkxKTCwIFvoA
xjdE6B1HKqzsWHu7fiQ29/btdAZav+930tMSxemIwhNe9aHyOgoujNS8UaxaR/sSTnj19V
7DyetxFPGW1H1A/KKnPm+muqgO7KARHoQ+0x3I6pJzM+XHN5DT5FNSdtVm+xWCNsXwL4bk
t5d5vBU/VAspgNZVSge+aN3R2FGqA0dlDww4XX0nywbaO8WgAAAMEA/kwTKHc7W9eqYCzM
yRrPXB1cRhrLYOJNX+ykl/xPPx4YeZmrDmNfzcC8DULC/5HkXEygpsxuzK1SbGM0eeQyMu
LboVYxgslC0QjIfDS3x7CYUMsrK1r1nleGxYFpXRBTqKty6nNR53Unum2QAsGW90xfoD1N
NEeb2d/wgG/QHmTh6BzJ6JYqjc/ATsqfR5aKoNnh1stRHu6TzrIK4Y/6e/HEoXElwOyeYX
DadG5VfnD4jglgQR78sHtaSSIpvCADAAAAwQDbdcgfXQ93mIDnk97aXbrR/tP76+0QmsM2
IImV3/mhnjwsYXHnYTBoci6t+L+zClpW2FIj532XKSBF+fxIOTpnMW4grKICivbWmcrCj+
aA+w+mshv4K1A+TDlzfW4c+UHpp26UopkaFMrG9hvNoDcREyYqERf1YnxZCLTGgNQLpDUa
rveYj+PzCjTzUzH2wgtNttIDWeekFxTJP/7a7sdaRe4DzMMn0B0UDVKGgKY7s5q1xL0IJq
8oXFJvSt894ScAAAASc2hlcHB5QGF0bGFudGlzcGFkAQ==
-----END OPENSSH PRIVATE KEY-----
roles/backup-vm/files/config
+3
View File
@@ -0,0 +1,3 @@
Host *
User sheppy
IdentityFile ~/.ssh/backup_priv_key
roles/backup-vm/files/ths_cal_backup.sh
+27
View File
@@ -0,0 +1,27 @@
#!/bin/bash
set -e
cd
BACKUP_NAME=backup_$(date +%Y%m%d).zip
mkdir -p ~/ths_caldav_backups/
mkdir -p ~/ths_carddav_backups/
mkdir -p ~/ths_carddav_telefon_backups/
vdirsyncer -c vsyncdir.conf sync
zip -q -r ~/ths_caldav_backups/${BACKUP_NAME} ~/ths-caldav
zip -q -r ~/ths_carddav_backups/${BACKUP_NAME} ~/ths-carddav
zip -q -r ~/ths_carddav_telefon_backups/${BACKUP_NAME} ~/ths-carddav-telefon
~/backups/backup-tools/backup_manager.py ~/ths_caldav_backups/ --debug
~/backups/backup-tools/backup_manager.py ~/ths_carddav_backups/ --debug
~/backups/backup-tools/backup_manager.py ~/ths_carddav_telefon_backups/ --debug
# send to storrage box
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_caldav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav/
rsync --delete --rsh="/usr/bin/sshpass -p '' ssh -p23" -r ths_carddav_telefon_backups/* u244665-sub2@u244665.your-storagebox.de:./ths_caldav_backups/carddav_telefon/
curl -H "Content-Type: application/json" \
-X POST https://async-icinga.atlantishq.de/report \
-d '{ "service" : "ths_caldav_backup", "token" : "", "status" : "OK", "info" : "" }'
roles/backup-vm/files/vsyncdir.conf
+54
View File
@@ -0,0 +1,54 @@
[general]
status_path = "~/.vdirsyncer/status/"
[pair ths_caldav]
a = "ths_remote_caldav"
b = "ths_local_caldav"
collections = ["from a"]
[storage ths_remote_caldav]
type = "caldav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/calendars/backup/ths_shared_by_ths/"
username = "backup"
password = ""
[storage ths_local_caldav]
type = "filesystem"
path = "~/ths-caldav/"
fileext = ".ics"
[pair ths_carddav]
a = "ths_remote_carddav"
b = "ths_local_carddav"
collections = ["from a"]
[storage ths_remote_carddav]
type = "carddav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths_shared_by_ths/"
username = "backup"
password = ""
[storage ths_local_carddav]
type = "filesystem"
path = "~/ths-carddav/"
fileext = ".vcf"
[pair ths_carddav_telefon]
a = "ths_remote_carddav_telefon"
b = "ths_local_carddav_telefon"
collections = ["from a"]
[storage ths_remote_carddav_telefon]
type = "carddav"
read_only = true
url = "https://ths.atlantishq.de/remote.php/dav/addressbooks/users/backup/ths-telefon-1_shared_by_ths/"
username = "backup"
password = ""
[storage ths_local_carddav_telefon]
type = "filesystem"
path = "~/ths-carddav-telefon/"
fileext = ".vcf"
roles/backup-vm/tasks/main.yaml
+76
View File
@@ -0,0 +1,76 @@
- name: Install tools
apt:
pkg:
- zip
- vdirsyncer
- name: Copy Backup caldav script
copy:
src: ths_cal_backup.sh
dest: /home/sheppy/ths_cal_backup.sh
owner: sheppy
group: sheppy
- name: Copy vdirsync config
copy:
src: vsyncdir.conf
dest: /home/sheppy/vsyncdir.conf
owner: sheppy
group: sheppy
- name: Create backups dir
file:
path: /home/sheppy/backups/
state: directory
owner: sheppy
group: sheppy
- name: Clone backup tools
git:
repo: https://github.com/FAUSheppy/backup-tools
dest: /home/sheppy/backups/backup-tools/
version: master
become: yes
become_user: sheppy
- name: Create SSH Dir
file:
path: /home/sheppy/.ssh/
state: directory
owner: sheppy
group: sheppy
- name: Copy SSH config and backup priv key
copy:
src: "{{ item }}"
dest: "/home/sheppy/.ssh/{{ item }}"
owner: sheppy
group: sheppy
mode: 0600
with_items:
- backup_priv_key
- config
- name: template SLAPD backup script
template:
src: slapd_backup.sh
dest: /home/sheppy/
owner: sheppy
group: sheppy
mode: 0700
- name: Add slapd script to cron
cron:
minute: "10"
hour: "1"
name: SLAPD via rsync backup
job: /home/sheppy/slapd_backup.sh
user: sheppy
- name: Add ths nextcloud backup script to cron
cron:
minute: "0"
hour: "1"
name: THS Caldav Backup
job: /home/sheppy/ths_cal_backup.sh
user: sheppy
roles/backup-vm/templates/slapd_backup.sh
+14
View File
@@ -0,0 +1,14 @@
#!/bin/bash
set -e
DIR=/home/sheppy/slapd_backup
rsync -r --remove-source-files sheppy@192.168.122.112:$DIR /home/sheppy
~/backups/backup-tools/backup_manager.py --extensions ldif -- $DIR
rsync --delete --rsh="/usr/bin/sshpass -p ebHYlyVHgRnBcdkb ssh -p23" -r slapd_backup/* u244665-sub2@u244665.your-storagebox.de:./slapd_backup/
curl -H "Content-Type: application/json" \
-X POST https://async-icinga.atlantishq.de/report \
-d '{ "service" : "slapd_backup", "token" : "WX0yXFxSsb", "status" : "OK", "info" : "" }'
roles/base/tasks/main.yaml
+49
View File
@@ -0,0 +1,49 @@
- name: Install packages
apt:
pkg:
- rsync
- zsh
- net-tools
- tcpdump
- git
- apt-file
- name: Ensure Opt dir exists and accessible
file:
name: /opt/
state: directory
mode: 0711
- name: Ensure backup info dir exists and accessible
file:
name: /opt/backup-info/
state: directory
mode: 0700
- name: Copy Backup Helper script
copy:
src: check_dir_size_for_backup.py
dest: /opt/check_dir_size_for_backup.py
mode: 0755
- name: Create sheppy .ssh dir
file:
path: /home/sheppy/.ssh/
state: directory
owner: sheppy
group: sheppy
mode: 0700
- name: Template Sheppy authorized keys
template:
src: authorized_keys_sheppy.j2
dest: /home/sheppy/.ssh/authorized_keys
owner: sheppy
group: sheppy
mode: 0600
- name: Add extra root keys
lineinfile:
path: /root/.ssh/authorized_keys
line: "{{ item }}"
loop: "{{ extra_root_keys }}"
roles/base/templates/authorized_keys_sheppy.j2
+3
View File
@@ -0,0 +1,3 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoUijFwmZaYHbueDsa3T2BV5UfMxKpztbuJwSBZ5s0WbZlg/9E9SHeGztaN/SCyQZdtOA7bR6tQMWhx4fadvrjg5BrN1bjpNUb2/rAxuWw0yU0Yp2CWwE02m+3bMj4pXeaI2Mk/Ywubfl88W2/OrUpbhHoYeedAIblyzuOwDTS9MpjD/ita89d4CM9AdhGBw3qaggtIxD8A5hULbJWe0D5KdtBFG8RFOmBaEb/tmBvdpwja3i17/AejUdjfjQv8G3BSTbKvOvMRwmnmoE5YCstwHIFqrlmqorSGQIVo5knfcSqgFxs2wDv4OOrPJTWcmr3LmN5lVjHkjtzRQ8zE9sB sheppy-master
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDU2aDU+TOiOXzWpGDhqbpzFkhENPc0QYbsqfImaBIMlbSDs6gxuQRtO9QtqyThrDuPNWVQqooVRj5MgdR9i2uNd8eDr+HWhzuiymy+KAJm9e+E4VTvgTiD+EB0IKJ6Vqm86/M0nwLPu3KNY9k/jjG2DjKDNEqX5b6U9Psfq/HqB5NDNL/BvCTNknehSDCp8gyFYjrRijGz6vnVF8jfNGOaliJvwQI7GciV8/Q986J4RruF/KbIf2DhVjQogHOV1ZVtFpBffxA6+PkDR4kgLYnZM4L4WCHqOqS9Cen4lqJg+ZJMMDx/T0cWkJIdTq6+GUvNjNfrle6Ck72vT1aRAxpjNCo+w5FeV6PtSrE2yF6cLoca1ia7n9fBANI7Pb9WdPytLeBMvzGU3C8b2RilDS89Ri6UZr63YzDI1hmTVUCe73ct2aV5DnDw668Y3+9hT+vi2mC+zHcgfPfJ7erySDmxG1pi2yDlaJP9fLz4MMOtknTdq73nnQPF7MRbiHk1Ots= hypervisor
{{ extra_sheppy_pubkeys }}
roles/docker-deployments/handlers/main.yaml
+8
View File
@@ -0,0 +1,8 @@
- name: reload async icinga settings
uri:
url: "http://localhost:5006/reload-configuration"
status_code: [ 200, 204 ]
- name: restart hub
shell:
cmd: docker restart atlantis-hub_atlantis-hub_1
roles/docker-deployments/tasks/main.yaml
+215
View File
@@ -0,0 +1,215 @@
- include_vars: services.yaml
- name: Create data-dir
file:
name: /data/
state: directory
- name: Create opt-dir
file:
name: /opt/
state: directory
- name: Async Icinga mount directory
file:
name: /data/async-icinga
state: directory
- name: Async Icinga database mount directory
file:
name: /data/async-icinga
state: directory
- name: Async Icinga Service (static)
template:
src: async-config.json.j2
dest: /data/async-icinga/config.json
notify:
- reload async icinga settings
- name: Async Icinga Service (static)
template:
src: async-icinga-config.json.j2
dest: /data/async-icinga/async-icinga-config.json
notify:
- reload async icinga settings
- name: Async Icinga Service (dynamic from backup file)
copy:
src: async-icinga-config-dynamic.json
dest: /data/async-icinga/
notify:
- reload async icinga settings
- name: Create data directories
file:
name: "/data/{{ item }}/"
state: directory
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
#- reactive-resume
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: Copy AtlantisHub config
copy:
src: "atlantis-hub-content/config.yaml"
dest: "/data/atlantis-hub/config.yaml"
notify: restart hub
- name: Create AtlantisHubDirectories
file:
name: "/data/atlantis-hub/{{ item }}"
state: directory
with_items:
- static-icons
- instance
- static-cache
- name: Copy AtlantisHub static icons
copy:
src: "atlantis-hub-content/static-icons/"
dest: "/data/atlantis-hub/static-icons/"
- name: Copy AtlantisHub static icons
template:
src: "grafana.ini"
dest: "/data/grafana/grafana.ini"
- name: Create compose directories
file:
name: "/opt/{{ item }}"
state: directory
with_items:
- athq-landing
- grafana
- potaris
- sector32
- async-icinga
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
- tor
#- reactive-resume
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: Copy compose templates
template:
src: "{{ item }}.yaml"
dest: "/opt/{{ item }}/"
with_items:
- athq-landing
- grafana
- potaris
- sector32
- async-icinga
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
- tor
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: Log into private registry
docker_login:
registry: registry.atlantishq.de
username: docker
password: ""
- name: Deploy compose templates
community.docker.docker_compose:
project_src: "/opt/{{ item }}/"
pull: true
files:
- "{{ item }}.yaml"
with_items:
- athq-landing
- grafana
- potaris
- sector32
- async-icinga
- tmnf-replay-server
- atlantis-hub
- grafana
- event-dispatcher
- tor
- hedgedoc
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
- money-balancer
- atlantis-web-check
- gotify
- name: OAuth2Proxy directories
file:
path: "/opt/oauth2proxy/{{ item }}/"
state: directory
recurse: yes
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
- name: include services ports
include_vars: services.yaml
- name: Deploy OAuth2Proxy compose files
template:
src: oauth-standalone-docker-compose.yaml
dest: "/opt/oauth2proxy/{{ item }}/docker-compose.yaml"
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
- name: Deploy OAuth2Proxy
community.docker.docker_compose:
project_src: /opt/oauth2proxy/{{ item }}/
pull: true
with_items:
- tmnf-replay-server
- atlantis-hub
- grafana
- async-icinga
- atlantis-verify
- soundlib-interface
- python-flask-picture-factory
#- reactive-resume
- money-balancer
- atlantis-web-check
roles/docker-deployments/templates/async-config.json.j2
+7
View File
@@ -0,0 +1,7 @@
{
"ICINGA_API_USER" : "{{ icinga_api_user }}",
"ICINGA_API_PASS" : "{{ icinga_api_pass }}",
"ICINGA_API_URL" : "{{ icinga_api_url }}",
"ICINGA_WEB_URL" : "{{ icinga_web_url }}",
"ASYNC_ICINGA_DUMMY_HOST" : "ASYNC_ICINGA"
}
roles/docker-deployments/templates/async-icinga-config.json.j2
+9
View File
@@ -0,0 +1,9 @@
{
{% for service in async_icinga_static_services %}
"{{ service['name'] }}" : {
"timeout" : "{{ service['timeout'] }}",
"token" : "{{ service['token'] }}",
"owner" : "{{ service['owner'] }}"
}{% if not loop.last %},{% endif %}
{% endfor %}
}
roles/docker-deployments/templates/async-icinga.yaml
+8
View File
@@ -0,0 +1,8 @@
async-icinga:
volumes:
- "/data/async-icinga/:/app/config"
- "/data/async-icinga/instance/:/app/instance/"
restart: always
ports:
- 6006:5000
image: harbor-registry.atlantishq.de/atlantishq/async-icinga
roles/docker-deployments/templates/athq-landing.yaml
+5
View File
@@ -0,0 +1,5 @@
athqlanding:
ports:
- 5002:5000
image: registry.atlantishq.de/athq/landing-page
restart: always
roles/docker-deployments/templates/atlantis-hub.yaml
+10
View File
@@ -0,0 +1,10 @@
atlantis-hub:
image: registry.atlantishq.de/atlantis-hub:latest
restart: always
ports:
- 6011:5000
volumes:
- /data/atlantis-hub/config.yaml:/app/config.yaml
- /data/atlantis-hub/static-icons/:/app/static/icons/
- /data/atlantis-hub/sqlite-instance/:/app/instance/
- /data/atlantis-hub/static-cache/:/app/static/cache/
roles/docker-deployments/templates/atlantis-verify.yaml
+28
View File
@@ -0,0 +1,28 @@
atlantis-verify:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-verify:latest
restart: always
environment:
LDAP_SERVER: ldap://{{ ldap_server }}
LDAP_BIND_DN: {{ ldap_bind_dn }}
LDAP_BIND_PW: {{ ldap_password }}
LDAP_BASE_DN: {{ ldap_user_dn }}
DISPATCH_SERVER: {{ event_dispatcher_address }}
SQLALCHEMY_DATABASE_URI: "instance/database.sqlite"
KEYCLOAK_URL: https://{{ keycloak_address }}
KEYCLOAK_REALM: master
KEYCLOAK_ADMIN_USER: admin
KEYCLOAK_ADMIN_PASS: {{ keycloak_admin_password }}
MAIN_HOME: https://hub.atlantishq.de
DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
ports:
- {{ services[item].port + 1000 }}:5000
volumes:
- /data/atlantis-verify/instance/:/app/instance/
roles/docker-deployments/templates/atlantis-web-check.yaml
+39
View File
@@ -0,0 +1,39 @@
version: "3.3"
services:
master:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-master:latest
restart: always
ports:
- {{ services[item].port + 1000 }}:5000
depends_on:
- queue
volumes:
- /data/atlantis-web-check/instance/:/app/instance/
environment:
- QUEUE_HOST=queue
- QUEUE_NAME=scheduled
- DISPATCH_SERVER={{ event_dispatcher_address }}
- DISPATCH_AUTH_USER={{ event_dispatcher_user }}
- DISPATCH_AUTH_PASSWORD={{ event_dispatcher_pass }}
scheduler:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-scheduler:latest
restart: always
depends_on:
- master
environment:
- MASTER_HOST=master:5000
- SLEEP_TIME=1
queue:
image: rabbitmq
restart: always
ports:
- 5672:5672
worker:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-webcheck-worker:latest
restart: always
depends_on:
- master
environment:
- MASTER_HOST=master:5000
- QUEUE_HOST=queue
- QUEUE_NAME=scheduled
roles/docker-deployments/templates/collabora.yaml
+9
View File
@@ -0,0 +1,9 @@
version: 3
service:
collabora:
ports:
- 9980:9980
image: collabora/code
restart: unless-stopped
environment:
- "extra_params=--o:ssl.enable=false --o:ssl.termination=true"
roles/docker-deployments/templates/event-dispatcher.yaml
+14
View File
@@ -0,0 +1,14 @@
event-dispatcher:
ports:
- 5007:5000
image: registry.atlantishq.de/athq/event-dispatcher
restart: always
volumes:
- "/data/event-dispatcher/instance/:/app/instance/"
environment:
SIGNAL_API_PASS: "{{ event_dispatcher_pass }}"
LDAP_SERVER : "{{ ldap_connection_url }}"
LDAP_BIND_DN : "{{ ldap_bind_dn }}"
LDAP_BIND_PW : "{{ ldap_password }}"
LDAP_BASE_DN : "{{ ldap_user_dn }}"
SIGNAL_GATEWAY_PASS: "{{ event_dispatcher_token }}"
roles/docker-deployments/templates/gotify.yaml
+11
View File
@@ -0,0 +1,11 @@
gotify:
image: gotify/server
restart: always
environment:
- TZ="Europe/Berlin"
- GOTIFY_DEFAULTUSER_NAME={{ gotify_user }}
- GOTIFY_DEFAULTUSER_PASS={{ gotify_password }}
ports:
- 4001:80
volumes:
- /data/gotify/data:/app/data
roles/docker-deployments/templates/grafana.ini
+1492
View File
File diff suppressed because it is too large Load Diff
roles/docker-deployments/templates/grafana.yaml
+10
View File
@@ -0,0 +1,10 @@
grafana:
ports:
- 4000:3000
image: grafana/grafana-oss
restart: always
volumes:
- "/data/grafana/grafana-var/:/var/lib/grafana"
- "/data/grafana/grafana.ini:/etc/grafana/grafana.ini"
environment:
GF_INSTALL_PLUGINS : "grafana-clock-panel,grafana-simple-json-datasource"
roles/docker-deployments/templates/hedgedoc.yaml
+39
View File
@@ -0,0 +1,39 @@
version: '3'
services:
database:
image: postgres:13.4-alpine
environment:
- POSTGRES_USER=hedgedoc
- POSTGRES_PASSWORD=D7OIx5VBUa7nEzdy6f
- POSTGRES_DB=hedgedoc
volumes:
- /data/hedgedoc/pgsql:/var/lib/postgresql/data
restart: always
app:
# Make sure to use the latest release from https://hedgedoc.org/latest-release
image: quay.io/hedgedoc/hedgedoc:1.9.9
environment:
- CMD_DB_URL=postgres://hedgedoc:D7OIx5VBUa7nEzdy6f@database:5432/hedgedoc
- CMD_DOMAIN=hedgedoc.atlantishq.de
- CMD_PROTOCOL_USESSL=true
- CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
- CMD_EMAIL=false
- CMD_ALLOW_EMAIL_REGISTER=false
- CMD_OAUTH2_USER_PROFILE_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/userinfo
- CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
- CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
- CMD_OAUTH2_CLIENT_ID=z_hedgedoc
- CMD_OAUTH2_CLIENT_SECRET=T4kvtI0ZF1JepEbmTm9bCksCJkuDOicGd
- CMD_OAUTH2_SCOPE=openid email profile
- CMD_OAUTH2_ROLES_CLAIM=roles
- CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
- CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
- CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
- CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
volumes:
- /data/hedgedoc/uploads:/hedgedoc/public/uploads
ports:
- "5012:3000"
restart: always
depends_on:
- database
roles/docker-deployments/templates/heimdall.yaml
+10
View File
@@ -0,0 +1,10 @@
heimdall:
image: linuxserver/heimdall:latest
restart: always
ports:
- 6011:80
volumes:
- /data/heimdall/:/config/
environment:
- PGID=1000
- PUID=1000
roles/docker-deployments/templates/money-balancer.yaml
+15
View File
@@ -0,0 +1,15 @@
version: "3"
services:
money-balancer:
image: ghcr.io/dorianim/money-balancer
restart: unless-stopped
ports:
- {{ services[item].port + 1000 }}:8000
volumes:
- /data/money-balancer:/data
environment:
- MONEYBALANCER_JWT_SECRET=Opta7EkHqgBWUDZULVypcP8FCxw511
- MONEYBALANCER_AUTH_LOCAL_ENABLED=false
- MONEYBALANCER_AUTH_PROXY_ENABLED=true
- MONEYBALANCER_AUTH_PROXY_HEADERS_USERNAME=x-forwarded-preferred-username
- MONEYBALANCER_AUTH_PROXY_HEADERS_NICKNAME=x-forwarded-preferred-username
roles/docker-deployments/templates/potaris.yaml
+6
View File
@@ -0,0 +1,6 @@
potaris:
ports:
- 5003:5000
- 5004:5000
image: harbor-registry.atlantishq.de/atlantishq/potaris-next-gen-web
restart: always
roles/docker-deployments/templates/python-flask-picture-factory.yaml
+12
View File
@@ -0,0 +1,12 @@
version: '3'
services:
image-factory:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-image-factory:latest
restart: always
ports:
- "{{ services[item].port + 1000 }}:5000"
environment:
UPLOAD_ENABLED: "yes"
PICTURES_DIRECTORY: pictures
volumes:
- "/data/image-factory/pictures/:/app/pictures/"
roles/docker-deployments/templates/reactive-resume.yaml
+93
View File
@@ -0,0 +1,93 @@
version: "3.8"
services:
minio:
image: minio/minio
restart: unless-stopped
command: server /data
ports:
- 9000:9000
volumes:
- /data/reactive-resume/minio/:/data
networks:
- resume
environment:
MINIO_ROOT_USER: minioadmin
MINIO_ROOT_PASSWORD: WGTVrFT73kwv0CbKa0PR
db:
image: postgres:13
environment:
- POSTGRES_USER=reactiveresume
- POSTGRES_PASSWORD=pwMOJntCfXdwF9ExnjNi
- POSTGRES_DB=reactiveresume
restart: always
volumes:
- /data/reative-resume-postgres/:/var/lib/postgresql/data
networks:
- resume
redis:
image: redis:latest
environment:
- TZ=Europe/Berlin
restart: unless-stopped
networks:
- resume
chrome:
image: browserless/chrome:latest
networks:
- resume
app:
image: amruthpillai/reactive-resume:latest
restart: unless-stopped
ports:
- {{ services[item].port + 1000 }}:3000
networks:
- resume
depends_on:
- db
- minio
- redis
- chrome
environment:
# -- Environment Variables --
PORT: 3000
NODE_ENV: production
# -- URLs --
PUBLIC_URL: https://resume.atlantishq.de
STORAGE_URL: http://localhost:9000
# -- Printer (Chrome) --
CHROME_TOKEN: chrome_token
CHROME_URL: ws://chrome:3000
# -- Database (Postgres) --
DATABASE_URL: postgresql://reactiveresume:pwMOJntCfXdwF9ExnjNi@db:5432/postgres
# -- Auth --
ACCESS_TOKEN_SECRET: 2EkPnUqJIE2EkPnUqJIE
REFRESH_TOKEN_SECRET: cihib7NzMxcihib7NzMx
# -- Emails --
MAIL_FROM: noreply@atlantishq.de
SMTP_URL: smtp://{{ smtp_service_user }}@atlantishq.de:{{ smtp_service_pass }}@{{ smtp_internal_host }}:{{ smtp_internal_host_port }}
# -- Storage (Minio) --
STORAGE_ENDPOINT: minio
STORAGE_PORT: 9000
STORAGE_BUCKET: default
STORAGE_ACCESS_KEY: minioadmin
STORAGE_SECRET_KEY: WGTVrFT73kwv0CbKa0PR
# -- Cache (Redis) --
REDIS_URL: redis://default:password@redis:6379
# -- Email (Optional) --
# DISABLE_EMAIL_AUTH: true
# VITE_DISABLE_SIGNUPS: true
networks:
resume:
roles/docker-deployments/templates/sector32.yaml
+5
View File
@@ -0,0 +1,5 @@
sector32:
ports:
- 5001:5000
image: registry.atlantishq.de/athq/sector32
restart: always
roles/docker-deployments/templates/soundlib-interface.yaml
+14
View File
@@ -0,0 +1,14 @@
version: '3'
services:
soundlib:
image: harbor-registry.atlantishq.de/atlantishq/atlantis-soundlib:latest
restart: always
ports:
- "{{ services[item].port + 1000 }}:5000"
environment:
S3_BUCKET: soundlib
AWS_ACCESS_KEY_ID: {{ SOUNDLIB_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: {{ SOUNDLIB_AWS_SECRET_ACCESS_KEY }}
S3_ENDPOINT: {{ SOUNDLIB_S3_ENDPOINT }}
volumes:
- /data/soundlib/instance/:/app/instance/
roles/docker-deployments/templates/tmnf-replay-server.yaml
+14
View File
@@ -0,0 +1,14 @@
tmnf-replay-server:
image: harbor-registry.atlantishq.de/atlantishq/tmnf-replay-server:latest
restart: always
ports:
- 6010:5000
volumes:
- /data/tmnf-replay-server/data/:/app/data/
- /data/tmnf-replay-server/uploads/:/app/uploads/
environment:
SQLITE_LOCATION: sqlite:////app/data/sqlite.db
DISPATCH_SERVER: {{ event_dispatcher_address }}
DISPATCH_AUTH_USER: {{ event_dispatcher_user }}
DISPATCH_AUTH_PASSWORD: {{ event_dispatcher_pass }}
roles/docker-deployments/templates/tor.yaml
+27
View File
@@ -0,0 +1,27 @@
version: "3.4"
services:
obfs4-bridge:
image: thetorproject/obfs4-bridge:latest
networks:
- obfs4_bridge_external_network
environment:
- OR_PORT=20000
- PT_PORT=20001
- EMAIL=nobody@nowhere.com
- NICKNAME=nowhere
- OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
- OBFS4V_AddressDisableIPv6=1
# - OBFS4V_PublishServerDescriptor=0
volumes:
- data:/var/lib/tor
ports:
- 20000:20000
- 20001:20001
restart: unless-stopped
volumes:
data:
name: tor-datadir-20000-20001
networks:
obfs4_bridge_external_network:
roles/global-handlers/handlers/main.yml
+59
View File
@@ -0,0 +1,59 @@
- name: nsca-ng service reload
systemd:
name: nsca-ng
state: restarted
enabled: yes
daemon_reload: yes
- name: restart rsyslog
systemd:
name: rsyslog
state: restarted
- name: restart collectd
systemd:
name: collectd
state: restarted
- name: restart influxdb
systemd:
name: influxdb
state: restarted
- name: restart postfix
systemd:
name: postfix
state: restarted
- name: restart dovecot
systemd:
name: dovecot
state: restarted
- name: restart nginx
systemd:
name: nginx
state: restarted
- name: restart ldap
systemd:
name: ldap
state: restarted
- name: restart opendkim
systemd:
name: opendkim
state: restarted
- name: restart slapd
systemd:
name: slapd-custom
state: restarted
- name: daemon reload
systemd:
daemon-reload: yes
- name: apt update
apt:
update_cache: yes
roles/harbor-registry/files/harbor-oidc.json
+13
View File
@@ -0,0 +1,13 @@
{
"auth_mode": "oidc_auth",
"oidc_name": "AtlantisHQ Accounts",
"oidc_endpoint": "https://keycloak.atlantishq.de/realms/master",
"oidc_groups_claim": "groups",
"oidc_admin_group": "pki",
"oidc_client_id": "z_harbor",
"oidc_client_secret": "TODO MUST BE SET",
"oidc_scope": "openid,email,profile",
"oidc_verify_cert": "true",
"oidc_auto_onboard": "true",
"oidc_user_claim": "preferred_username"
}
roles/harbor-registry/handlers/main.yaml
+5
View File
@@ -0,0 +1,5 @@
- name: restart harbor
docker_compose:
project_src: /opt/harbor/
state: present
restarted: yes
roles/harbor-registry/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/harbor-registry/tasks/main.yaml
+50
View File
@@ -0,0 +1,50 @@
- name: Install Docker prerequisites
apt:
state: present
pkg:
- docker.io
- docker-compose
- name: Create /data/ dir
file:
path: /data/
state: directory
- name: Download release
get_url:
url: https://github.com/goharbor/harbor/releases/download/{{ harbor_version }}/{{ harbor_file }}
dest: /opt/{{ harbor_file }}
- name: Extract release
unarchive:
remote_src: true
src: /opt/harbor-online-installer-v2.10.0.tgz
dest: /opt/
register: release
- name: Copy harbor config
template:
src: harbor.config.yaml
dest: /opt/harbor/harbor.yml # mind the missing a
register: config
- name: run installer
shell:
cmd: ./install.sh --with-trivy
chdir: /opt/harbor/
when: config.changed or release.changed
notify: restart harbor
- name: Inject OIDC Config
lineinfile:
state: present
path: /opt/harbor/common/config/core/env
line: CONFIG_OVERWRITE_JSON={{ lookup('file','harbor-oidc.json') | from_json | to_json }}
regex: CONFIG_OVERWRITE_JSON=
notify: restart harbor
- name: Add @reboot compose job # harbor deps are meh, restart: always is not safe
cron:
name: "Harbor Up"
special_time: "reboot"
job: "/usr/bin/docker-compose -f /opt/harbor/docker-compose.yml up"
roles/harbor-registry/templates/harbor.config.yaml
+306
View File
@@ -0,0 +1,306 @@
# Configuration file of Harbor
# The IP address or hostname to access admin UI and registry service.
# DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
hostname: NOPE
# http related config
http:
# port for http, default is 80. If https enabled, this port will redirect to https port
port: 80
# https related config
#https:
# # https port for harbor, default is 443
# port: 443
# # The path of cert and key files for nginx
# certificate: /your/certificate/path
# private_key: /your/private/key/path
# # Uncomment following will enable tls communication between all harbor components
# internal_tls:
# # set enabled to true means internal tls is enabled
# enabled: true
# # put your cert and key files on dir
# dir: /etc/harbor/tls/internal
# # enable strong ssl ciphers (default: false)
# strong_ssl_ciphers: false
# Uncomment external_url if you want to enable external proxy
# And when it enabled the hostname will no longer used
external_url: https://harbor-registry.atlantishq.de
# The initial password of Harbor admin
# It only works in first time to install harbor
# Remember Change the admin password from UI after launching Harbor.
harbor_admin_password: {{ harbor_admin_password }}
# Harbor DB configuration
database:
# The password for the root user of Harbor DB. Change this before any production use.
password: {{ harbor_db_password }}
# The maximum number of connections in the idle connection pool. If it <=0, no idle connections are retained.
max_idle_conns: 100
# The maximum number of open connections to the database. If it <= 0, then there is no limit on the number of open connections.
# Note: the default number of connections is 1024 for postgres of harbor.
max_open_conns: 900
# The maximum amount of time a connection may be reused. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's age.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
conn_max_lifetime: 5m
# The maximum amount of time a connection may be idle. Expired connections may be closed lazily before reuse. If it <= 0, connections are not closed due to a connection's idle time.
# The value is a duration string. A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as "300ms", "-1.5h" or "2h45m". Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
conn_max_idle_time: 0
# The default data volume
data_volume: /data/harbor/
# Harbor Storage settings by default is using /data dir on local filesystem
# Uncomment storage_service setting If you want to using external storage
# storage_service:
# # ca_bundle is the path to the custom root ca certificate, which will be injected into the truststore
# # of registry's containers. This is usually needed when the user hosts a internal storage with self signed certificate.
# ca_bundle:
# # storage backend, default is filesystem, options include filesystem, azure, gcs, s3, swift and oss
# # for more info about this configuration please refer https://docs.docker.com/registry/configuration/
# filesystem:
# maxthreads: 100
# # set disable to true when you want to disable registry redirect
# redirect:
# disable: false
# Trivy configuration
#
# Trivy DB contains vulnerability information from NVD, Red Hat, and many other upstream vulnerability databases.
# It is downloaded by Trivy from the GitHub release page https://github.com/aquasecurity/trivy-db/releases and cached
# in the local file system. In addition, the database contains the update timestamp so Trivy can detect whether it
# should download a newer version from the Internet or use the cached one. Currently, the database is updated every
# 12 hours and published as a new release to GitHub.
trivy:
# ignoreUnfixed The flag to display only fixed vulnerabilities
ignore_unfixed: false
# skipUpdate The flag to enable or disable Trivy DB downloads from GitHub
#
# You might want to enable this flag in test or CI/CD environments to avoid GitHub rate limiting issues.
# If the flag is enabled you have to download the `trivy-offline.tar.gz` archive manually, extract `trivy.db` and
# `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path.
skip_update: false
#
# The offline_scan option prevents Trivy from sending API requests to identify dependencies.
# Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it.
# For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't
# exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode.
# It would work if all the dependencies are in local.
# This option doesn't affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment.
offline_scan: false
#
# Comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`.
security_check: vuln
#
# insecure The flag to skip verifying registry certificate
insecure: false
# github_token The GitHub access token to download Trivy DB
#
# Anonymous downloads from GitHub are subject to the limit of 60 requests per hour. Normally such rate limit is enough
# for production operations. If, for any reason, it's not enough, you could increase the rate limit to 5000
# requests per hour by specifying the GitHub access token. For more details on GitHub rate limiting please consult
# https://docs.github.com/rest/overview/resources-in-the-rest-api#rate-limiting
#
# You can create a GitHub token by following the instructions in
# https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line
#
# github_token: xxx
jobservice:
# Maximum number of job workers in job service
max_job_workers: 10
# The jobLoggers backend name, only support "STD_OUTPUT", "FILE" and/or "DB"
job_loggers:
- STD_OUTPUT
- FILE
# - DB
# The jobLogger sweeper duration (ignored if `jobLogger` is `stdout`)
logger_sweeper_duration: 1 #days
notification:
# Maximum retry count for webhook job
webhook_job_max_retry: 3
# HTTP client timeout for webhook job
webhook_job_http_client_timeout: 3 #seconds
# Log configurations
log:
# options are debug, info, warning, error, fatal
level: info
# configs for logs in local storage
local:
# Log files are rotated log_rotate_count times before being removed. If count is 0, old versions are removed rather than rotated.
rotate_count: 50
# Log files are rotated only if they grow bigger than log_rotate_size bytes. If size is followed by k, the size is assumed to be in kilobytes.
# If the M is used, the size is in megabytes, and if G is used, the size is in gigabytes. So size 100, size 100k, size 100M and size 100G
# are all valid.
rotate_size: 200M
# The directory on your host that store log
location: /var/log/harbor
# Uncomment following lines to enable external syslog endpoint.
# external_endpoint:
# # protocol used to transmit log to external endpoint, options is tcp or udp
# protocol: tcp
# # The host of external endpoint
# host: localhost
# # Port of external endpoint
# port: 5140
#This attribute is for migrator to detect the version of the .cfg file, DO NOT MODIFY!
_version: 2.10.0
# Uncomment external_database if using external database.
# external_database:
# harbor:
# host: harbor_db_host
# port: harbor_db_port
# db_name: harbor_db_name
# username: harbor_db_username
# password: harbor_db_password
# ssl_mode: disable
# max_idle_conns: 2
# max_open_conns: 0
# Uncomment redis if need to customize redis db
# redis:
# # db_index 0 is for core, it's unchangeable
# # registry_db_index: 1
# # jobservice_db_index: 2
# # trivy_db_index: 5
# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
# # harbor_db_index: 6
# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
# # cache_db_index: 7
# Uncomment redis if need to customize redis db
# redis:
# # db_index 0 is for core, it's unchangeable
# # registry_db_index: 1
# # jobservice_db_index: 2
# # trivy_db_index: 5
# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
# # harbor_db_index: 6
# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
# # cache_layer_db_index: 7
# Uncomment external_redis if using external Redis server
# external_redis:
# # support redis, redis+sentinel
# # host for redis: <host_redis>:<port_redis>
# # host for redis+sentinel:
# # <host_sentinel1>:<port_sentinel1>,<host_sentinel2>:<port_sentinel2>,<host_sentinel3>:<port_sentinel3>
# host: redis:6379
# password:
# # Redis AUTH command was extended in Redis 6, it is possible to use it in the two-arguments AUTH <username> <password> form.
# # there's a known issue when using external redis username ref:https://github.com/goharbor/harbor/issues/18892
# # if you care about the image pull/push performance, please refer to this https://github.com/goharbor/harbor/wiki/Harbor-FAQs#external-redis-username-password-usage
# # username:
# # sentinel_master_set must be set to support redis+sentinel
# #sentinel_master_set:
# # db_index 0 is for core, it's unchangeable
# registry_db_index: 1
# jobservice_db_index: 2
# trivy_db_index: 5
# idle_timeout_seconds: 30
# # it's optional, the db for harbor business misc, by default is 0, uncomment it if you want to change it.
# # harbor_db_index: 6
# # it's optional, the db for harbor cache layer, by default is 0, uncomment it if you want to change it.
# # cache_layer_db_index: 7
# Uncomment uaa for trusting the certificate of uaa instance that is hosted via self-signed cert.
# uaa:
# ca_file: /path/to/ca
# Global proxy
# Config http proxy for components, e.g. http://my.proxy.com:3128
# Components doesn't need to connect to each others via http proxy.
# Remove component from `components` array if want disable proxy
# for it. If you want use proxy for replication, MUST enable proxy
# for core and jobservice, and set `http_proxy` and `https_proxy`.
# Add domain to the `no_proxy` field, when you want disable proxy
# for some special registry.
proxy:
http_proxy:
https_proxy:
no_proxy:
components:
- core
- jobservice
- trivy
# metric:
# enabled: false
# port: 9090
# path: /metrics
# Trace related config
# only can enable one trace provider(jaeger or otel) at the same time,
# and when using jaeger as provider, can only enable it with agent mode or collector mode.
# if using jaeger collector mode, uncomment endpoint and uncomment username, password if needed
# if using jaeger agetn mode uncomment agent_host and agent_port
# trace:
# enabled: true
# # set sample_rate to 1 if you wanna sampling 100% of trace data; set 0.5 if you wanna sampling 50% of trace data, and so forth
# sample_rate: 1
# # # namespace used to differenciate different harbor services
# # namespace:
# # # attributes is a key value dict contains user defined attributes used to initialize trace provider
# # attributes:
# # application: harbor
# # # jaeger should be 1.26 or newer.
# # jaeger:
# # endpoint: http://hostname:14268/api/traces
# # username:
# # password:
# # agent_host: hostname
# # # export trace data by jaeger.thrift in compact mode
# # agent_port: 6831
# # otel:
# # endpoint: hostname:4318
# # url_path: /v1/traces
# # compression: false
# # insecure: true
# # # timeout is in seconds
# # timeout: 10
# Enable purge _upload directories
upload_purging:
enabled: true
# remove files in _upload directories which exist for a period of time, default is one week.
age: 168h
# the interval of the purge operations
interval: 24h
dryrun: false
# Cache layer configurations
# If this feature enabled, harbor will cache the resource
# `project/project_metadata/repository/artifact/manifest` in the redis
# which can especially help to improve the performance of high concurrent
# manifest pulling.
# NOTICE
# If you are deploying Harbor in HA mode, make sure that all the harbor
# instances have the same behaviour, all with caching enabled or disabled,
# otherwise it can lead to potential data inconsistency.
cache:
# not enabled by default
enabled: false
# keep cache for one day by default
expire_hours: 24
# Harbor core configurations
# Uncomment to enable the following harbor core related configuration items.
# core:
# # The provider for updating project quota(usage), there are 2 options, redis or db,
# # by default is implemented by db but you can switch the updation via redis which
# # can improve the performance of high concurrent pushing to the same project,
# # and reduce the database connections spike and occupies.
# # By redis will bring up some delay for quota usage updation for display, so only
# # suggest switch provider to redis if you were ran into the db connections spike aroud
# # the scenario of high concurrent pushing to same project, no improvment for other scenes.
# quota_update_provider: redis # Or db
roles/iptables/tasks/main.yaml
+84
View File
@@ -0,0 +1,84 @@
- name: Install iptables
apt:
state: present
pkg:
- iptables
- name: Allow related and established connections
ansible.builtin.iptables:
chain: INPUT
ctstate: ESTABLISHED,RELATED
jump: ACCEPT
- name: Allow Hypervisor
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.1
jump: ACCEPT
comment: "allow hypervisor"
- name: Allow ping from monitoring
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.107
protocol: icmp
jump: ACCEPT
comment: "allow monitoring to ping"
- name: Allow TLS Check from monitoring on mail
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.107
protocol: tcp
destination_port: "{{ item }}"
jump: ACCEPT
comment: "allow monitoring to check mail TLS ports"
with_items:
- 465
- 993
- name: Allow ping from zabbix
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.117
protocol: icmp
jump: ACCEPT
comment: "allow zabbix to ping"
- name: Allow zabbix-agent from zabbix
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.117
protocol: tcp
destination_port: "10050"
jump: ACCEPT
comment: "allow zabbix to connect to agent"
- name: Allow node-exporter from prometheus
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.120
protocol: tcp
destination_port: "9100"
jump: ACCEPT
comment: "allow prometheus to access node-exporter"
- name: Open Configured internal ports
ansible.builtin.iptables:
chain: INPUT
destination_port: "{{ item.port }}"
source: 192.168.122.0/24
protocol: "{{ item.protocol }}"
comment: "{{ item.comment }}"
jump: ACCEPT
loop: "{{ extra_internal_iptables_ports_allow }}"
when: extra_internal_iptables_ports_allow is defined
- name: Reject everything else in internal network
ansible.builtin.iptables:
chain: INPUT
source: 192.168.122.0/24
comment: "Block internal network"
jump: REJECT
reject_with: icmp-admin-prohibited
state: present
roles/mail/files/dovecot.conf
+122
View File
@@ -0,0 +1,122 @@
# Enable installed protocols
!include_try /usr/share/dovecot/protocols.d/*.protocol
# logs
info_log_path = /var/dovecot/logs/dovecot_info.log
log_path = /var/dovecot/logs/dovecot.log
protocols = imap pop3 lmtp
# We're using Maildir format
mail_location = maildir:~/Maildir
# If you're using POP3, you'll need this:
pop3_uidl_format = %g
# Authentication configuration:
auth_verbose = yes
auth_mechanisms = plain login
disable_plaintext_auth = no
passdb {
driver = passwd-file
args = scheme=SHA512-CRYPT username_format=%n /var/dovecot/auth/passwd
}
userdb {
driver = passwd-file
args = username_format=%n /var/dovecot/auth/passwd
}
# Postmaster
protocol lda {
postmaster_address = postmaster@example.com
}
# Quotas mus be defined like this in passwd userdb_quota_rule=*:storage=100M
mail_plugins = $mail_plugins quota
protocol imap {
mail_plugins = $mail_plugins imap_quota
}
plugin {
quota = maildir
}
## SSL settings
# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
ssl = yes
ssl_cert = </etc/letsencrypt/live/atlantishq.de/fullchain.pem
ssl_key = </etc/letsencrypt/live/atlantishq.de/privkey.pem
ssl_min_protocol = TLSv1.1
ssl_cipher_list = HIGH:!aNULL
ssl_prefer_server_ciphers = yes
default_login_user = dovenull
default_internal_user = dovecot
####### IMAP #######
service imap-login {
inet_listener imaps {
port = 993
ssl = yes
}
inet_listener imap {
port = 0
}
service_count = 1
process_min_avail = 1
vsz_limit = 100M
}
protocol imap {
imap_client_workarounds = tb-extra-mailbox-sep
}
service imap {
vsz_limit = 100M
process_limit = 100
}
####### POP3 #######
service pop3-login {
inet_listener pop3s {
port = 995
ssl = yes
}
inet_listener pop3 {
port = 0
}
}
service pop3 {
process_limit = 100
}
###### LMTP #######
service lmtp {
unix_listener /var/spool/postfix/private/dovecot_lmtp_target {
mode = 0600
group = postfix
user = postfix
}
}
###### AUTH ######
service auth {
unix_listener auth-userdb {
mode = 0600
group = postfix
user = postfix
}
# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0600
group = postfix
user = postfix
}
user = dovecot
}
service auth-worker {
user = dovecot
}
first_valid_uid = 100
roles/mail/files/dovecot_passwd
+1
View File
@@ -0,0 +1 @@
noreply:{SHA512-CRYPT}$6$XXXXXXXXXXXXXXXXXXXuse this: $(mkpasswd -msha512crypt)XXXXX:106:113::/var/dovecot/noreply::userdb_mail=maildir:~/Maildir ::userdb_quota_rule=*:bytes=5000M
roles/mail/files/dynamicmaps.cf
+1
View File
@@ -0,0 +1 @@
sqlite postfix-sqlite.so dict_sqlite_open
roles/mail/files/enabled_senders
+9
View File
@@ -0,0 +1,9 @@
# Sender adress the user may use :)
sheppy@atlantishq.de sheppy@atlantishq.de
ths-nas@atlantishq.de ths-nas@atlantishq.de
joerg@darknet-fashion.de joerg@darknet-fashion.de
yannik.schmidt@potaris.de yannik.schmidt@potaris.de
noreply@atlantishq.de noreply@atlantishq.de
@darknet-fashion.de joerg
@darknet-fashion.com joerg
@atlantishq.de sheppy
roles/mail/files/header_checks
+1
View File
@@ -0,0 +1 @@
/^X-Spam-Flag: YES/ REDIRECT spamsink@atlantishq.de
roles/mail/files/main.cf
+102
View File
@@ -0,0 +1,102 @@
# let's confuse atackers
smtpd_banner = $myhostname Postfix
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
# delay_warning_time = 10h
queue_directory = /var/spool/postfix
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/atlantishq.de/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/atlantishq.de/privkey.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
# tls paramaters
smtpd_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_exclude_ciphers = MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
tls_preempt_cipherlist = yes
# breaks mailman for obvious reasons
smtpd_tls_security_level=may
smtpd_tls_auth_only = yes
# SMTP (mainly from dovecot documentation)
smtpd_relay_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_sender
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_mandatory_ciphers=high
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtpd_sender_login_maps=hash:/etc/postfix/enabled_senders
## restrictions
# PERMIT MY NETWORKS MUST ALWAYS BE THE FIRST ARGUMENT OR YOU CANNOT SEND TO NON-LOCAL domains from NOT-DOVECOT
#policyd-spf_time_limit = 3600
smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_policy_service unix:private/policyd-spf,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_recipient_restrictions=permit_mynetworks,reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject_unauth_destination,check_sender_access hash:/etc/postfix/sender_blacklist
#smtpd_sender_restrictions=permit_mynetworks,permit_sasl_authenticated,reject_non_fqdn_sender
smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch,reject_non_fqdn_sender,permit_sasl_authenticated
# USER mappings (not reliant on unix users)
# MAILMAN #
virtual_mailbox_domains = atlantishq.de,darknet-fashion.de,darknet-fashion.com,potaris.de
virtual_alias_maps = hash:/etc/postfix/virtual
#recipient_cononical_maps = hash:/etc/postfix/canonical-recipient
virtual_transport = lmtp:unix:private/dovecot_lmtp_target
#relocated_maps = hash:/etc/postfix/mail_redirect
alias_maps = hash:/etc/aliases
virtual_minimum_uid = 100
virtual_uid_maps = static:1009
virtual_gid_maps = static:1009
#receive_override_options = no_address_mappings
# spam redirect happens here
header_checks = regexp:/etc/postfix/header_checks
# random shit
biff = no
readme_directory = no
compatibility_level = 2
myhostname = mail.atlantishq.de
#mydestination = localhost.divercitystudio.de,localhost.atlantishq.de, ,localhost
mydestination = localhost
#,localhost.esports-erlangen.de,esports-erlangen.de
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
message_size_limit = 80480000
inet_interfaces = all
inet_protocols = all
#alias_maps = hash:/etc/aliases
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = $smtpd_milters
disable_mime_output_conversion = yes
authorized_submit_users = !check,static:all
roles/mail/files/master.cf
+58
View File
@@ -0,0 +1,58 @@
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o content_filter=spamassassin
8025 inet n - y - - smtpd
spamassassin unix - n n - - pipe
user=spamd argv=/usr/bin/spamc -f -e
/usr/sbin/sendmail -oi -f ${sender} ${recipient}
#smtp inet n - y - 1 postscreen
smtps inet n - y - - smtpd -v
-o smtpd_tls_wrappermode=yes
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
policyd-spf unix - n n - 0 spawn
user=policyd-spf argv=/usr/bin/policyd-spf
########################## OTHER #############################
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
dovecot unix - n n - - pipe
flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -d ${user}@${nexthop} -m ${extension}
roles/mail/files/nginx.conf
+63
View File
@@ -0,0 +1,63 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_certificate /etc/letsencrypt/live/atlantishq.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/atlantishq.de/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
roles/mail/files/nginx_default.conf
+26
View File
@@ -0,0 +1,26 @@
server {
server_name mail.atlantishq.de autoconfig.atlantishq.de autodiscover.atlantishq.de autoconfig.potaris.de;
listen 443 ssl;
listen 80;
listen [::]:443 ssl;
location /.well-known/acme-challenge/ {
auth_basic off;
alias /var/www/.well-known/acme-challenge/;
}
location /initdb {
allow 127.0.0.1;
deny all;
}
location /{
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto http;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_pass http://localhost:8080;
}
}
roles/mail/files/opendkim/key.table
+1
View File
@@ -0,0 +1 @@
atlantishq atlantishq.de:default:/etc/opendkim/keys/atlantishq.de/default.private
roles/mail/files/opendkim/opendkim.conf
+86
View File
@@ -0,0 +1,86 @@
# This is a basic configuration that can easily be adapted to suit a standard
# installation. For more advanced options, see opendkim.conf(5) and/or
# /usr/share/doc/opendkim/examples/opendkim.conf.sample.
# Log to syslog
Syslog yes
# Required to use local socket with MTAs that access the socket as a non-
# privileged user (e.g. Postfix)
UMask 007
# Sign for example.com with key in /etc/dkimkeys/dkim.key using
# selector '2007' (e.g. 2007._domainkey.example.com)
#Domain example.com
#KeyFile /etc/dkimkeys/dkim.key
#Selector 2007
# Commonly-used options; the commented-out versions show the defaults.
#Canonicalization simple
#Mode sv
#SubDomains no
# Socket smtp://localhost
#
# ## Socket socketspec
# ##
# ## Names the socket where this filter should listen for milter connections
# ## from the MTA. Required. Should be in one of these forms:
# ##
# ## inet:port@address to listen on a specific interface
# ## inet:port to listen on all interfaces
# ## local:/path/to/socket to listen on a UNIX domain socket
#
Socket inet:8892@localhost
#Socket local:/var/run/opendkim/opendkim.sock
#Socket local:/var/spool/postfix/opendkim/opendkim.sock
## PidFile filename
### default (none)
###
### Name of the file where the filter should write its pid before beginning
### normal operations.
#
PidFile /var/run/opendkim/opendkim.pid
# Always oversign From (sign using actual From and a null From to prevent
# malicious signatures header fields (From and/or others) between the signer
# and the verifier. From is oversigned by default in the Debian pacakge
# because it is often the identity key used by reputation systems and thus
# somewhat security sensitive.
OversignHeaders From
## ResolverConfiguration filename
## default (none)
##
## Specifies a configuration file to be passed to the Unbound library that
## performs DNS queries applying the DNSSEC protocol. See the Unbound
## documentation at http://unbound.net for the expected content of this file.
## The results of using this and the TrustAnchorFile setting at the same
## time are undefined.
## In Debian, /etc/unbound/unbound.conf is shipped as part of the Suggested
## unbound package
# ResolverConfiguration /etc/unbound/unbound.conf
## TrustAnchorFile filename
## default (none)
##
## Specifies a file from which trust anchor data should be read when doing
## DNS queries and applying the DNSSEC protocol. See the Unbound documentation
## at http://unbound.net for the expected format of this file.
TrustAnchorFile /usr/share/dns/root.key
## Userid userid
### default (none)
###
### Change to user "userid" before starting normal operation? May include
### a group ID as well, separated from the userid by a colon.
#
UserID opendkim
ExternalIgnoreList /etc/opendkim/trusted.hosts
InternalHosts /etc/opendkim/trusted.hosts
SigningTable refile:/etc/opendkim/signing.table
KeyTable /etc/opendkim/key.table
roles/mail/files/opendkim/signing.table
+3
View File
@@ -0,0 +1,3 @@
*@atlantishq.de atlantishq
*@lantia-it.de atlantishq
*@esports-erlangen.de atlantishq
roles/mail/files/opendkim/trusted.hosts
+6
View File
@@ -0,0 +1,6 @@
127.0.0.1
localhost
atlantishq.de
192.168.122.112
192.168.122.107
192.168.122.117
roles/mail/files/policy-spf/policyd-spf.conf
+16
View File
@@ -0,0 +1,16 @@
# For a fully commented sample config file see policyd-spf.conf.commented
debugLevel = 1
TestOnly = 1
#HELO_reject = Fail
#Mail_From_reject = Fail
HELO_reject = False
Mail_From_reject = False
PermError_reject = False
TempError_Defer = False
skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1,192.168.122.112,192.168.122.107
roles/mail/files/relocated
+1
View File
@@ -0,0 +1 @@
test@atlantishq.de sheppy@atlantishq.de
roles/mail/files/sender_blacklist
+11
View File
@@ -0,0 +1,11 @@
alyssa@catapult.gg REJECT
service-expert.net REJECT
yougetnow.com REJECT
forestanes.pics REJECT
stockcard.io REJECT
zapingers.autos REJECT
cleverep.com REJECT
.ru REJECT
allsip.ru REJECT
sina.buffy@avantgarde-experts.de OK
.avantgarde-experts.de OK
roles/mail/files/tls_policy
+13
View File
@@ -0,0 +1,13 @@
[atlantishq.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[atlantishq.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[atlantishq.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[esports-erlangen.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:587 encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:msa encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.de]:submission encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:587 encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:msa encrypt protocols=TLSv1.2 ciphers=high
[darknet-fashion.com]:submission encrypt protocols=TLSv1.2 ciphers=high
.datev.de encrypt
roles/mail/files/transport
+3
View File
@@ -0,0 +1,3 @@
atlantishq.de lmtp:unix:private/dovecot_lmtp_target
darknet-fashion.de lmtp:unix:private/dovecot_lmtp_target
darknet-fashion.com lmtp:unix:private/dovecot_lmtp_target
roles/mail/files/virtual
+38
View File
@@ -0,0 +1,38 @@
# you can also so this: test-second-account@atlantishq.de test@atlantishq.de
# which will give all incoming mails of test-second-account to test (sorta obvious)
# IMPORTANT >> IT IS _NOT_ NESSESARY TO DO THE FOLLOWING << IMPORTANT
# user@atlantishq.de user@esports-erlangen.de
# every user will get emails from both domains
# If a user also wants to _SEND_ mails, he also have to have an
# entry in the /etc/postfix/enabled-senders
# CHANGES IN THIS FILE MUST BE MAPPED BEFORE RESTART (!)
# postmap FILENAME
# CHANGES IN THIS FILE WILL ONLY BE APPLIED ON POSTFIX RESTART, NOT RELOAD (!)
# sheppy
insurgency@atlantishq.de sheppy@atlantishq.de
yannik@atlantishq.de sheppy@atlantishq.de
tac@atlantishq.de sheppy@atlantishq.de
uplay@atlantishq.de sheppy@atlantishq.de
#yannik.schmidt@potaris.de sheppy@atlantishq.de
acc@atlantishq.de sheppy@atlantishq.de
mail@potaris.de yannik.schmidt@potaris.de
sector32@potaris.de yannik.schmidt@potaris.de
root@atlantishq.de sheppy@atlantishq.de
trackmania-2@atlantishq.de sheppy@atlantishq.de
maria@atlantishq.de mondauge@icloud.com
steam-potaris-1@atlantishq.de sheppy@atlantishq.de
steam-potaris-2@atlantishq.de sheppy@atlantishq.de
steam-potaris-3@atlantishq.de sheppy@atlantishq.de
# michy
ipatix@atlantishq.de michael.panzlaff@fau.de
# catchall
#@atlantishq.de root@atlantishq.de
#@esports-erlangen.de root@atlantishq.de
@darknet-fashion.com joerg@darknet-fashion.de
@darknet-fashion.de joerg@darknet-fashion.de
roles/mail/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/mail/tasks/main.yaml
+88
View File
@@ -0,0 +1,88 @@
- name: Install Mail stuff
apt:
pkg:
- postfix
- dovecot-core
- dovecot-imapd
- spamassassin
- nginx
- postfix-policyd-spf-python
- opendkim
- opendkim-tools
state: present
- name: Deploy Postfix config
copy:
src: "{{ item }}"
dest: "/etc/postfix/{{ item }}"
with_items:
- dynamicmaps.cf
- enabled_senders
- main.cf
- master.cf
- relocated
- sender_blacklist
- tls_policy
- transport
- virtual
- header_checks
notify: restart postfix
- name: Deploy dmark/opendkim config (main)
copy:
src: "opendkim/opendkim.conf"
dest: "/etc/opendkim.conf"
notify: restart opendkim
- name: Deploy dmark/opendkim config (config dir)
copy:
src: "opendkim/{{ item }}"
dest: "/etc/opendkim/"
with_items:
- key.table
- signing.table
- trusted.hosts
notify: restart opendkim
- name: Deploy policy spf config
copy:
src: "policy-spf/policyd-spf.conf"
dest: "/etc/postfix-policyd-spf-python/"
notify: restart postfix
- name: Deploy dmark/opendkim config (config dir)
copy:
src: "opendkim/{{ item }}"
dest: "/etc/opendkim/"
with_items:
- key.table
- signing.table
notify: restart postfix
- name: Deploy Dovecot config
copy:
src: "{{ item }}"
dest: "/etc/dovecot/{{ item }}"
with_items:
- dovecot.conf
notify: restart dovecot
- name: Deploy nginx-config
copy:
src: nginx.conf
dest: /etc/nginx/nginx.conf
notify: restart nginx
- name: Deploy nginx-config (page)
copy:
src: nginx_default.conf
dest: /etc/nginx/sites-available/default
notify: restart nginx
- name: Deploy user passwd config
copy:
src: dovecot_passwd
dest: /var/dovecot/auth/passwd
owner: dovecot
group: dovecot
notify: restart dovecot
roles/media/files/htpasswd
+2
View File
@@ -0,0 +1,2 @@
kathi:$y$j9T$llGL4Qoz3NYzphDi4UcK41$O2DR8i5YMS6iiKohETw58Wt5m55F/H/MIHgH3qxAdz9
sheppy:$y$j9T$nh0aLCxl0aZ9hczSkAUxP1$zEA6PI7Kwv.lfcfJJn91hQ4A4wCjQrGyZ0w47IeyYg8
roles/media/files/nginx_media.conf
+28
View File
@@ -0,0 +1,28 @@
map $http_x_nginx_cert_auth $basic_auth_val {
default "private";
true off;
}
server {
autoindex on;
autoindex_localtime on;
listen 8000;
root /var/www/media;
add_header Vary Accept-Encoding;
add_header Access-Control-Allow-Origin $http_origin;
location /videos/{
default_type video/mp4;
limit_rate 2m;
autoindex on;
}
location /auth/{
auth_basic $basic_auth_val;
auth_basic_user_file /etc/nginx/htpasswd;
}
}
roles/media/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/media/tasks/main.yaml
+17
View File
@@ -0,0 +1,17 @@
- name: Install Nginx
apt:
pkg:
- nginx
state: present
- name: Deploy nginx-config (page)
copy:
src: nginx_media.conf
dest: /etc/nginx/sites-available/media.conf
notify: restart nginx
- name: Deploy nginx basic auth file
copy:
src: htpasswd
dest: /etc/nginx/
notify: restart nginx
roles/monitoring-client/files/check_mailq
Executable
+687
View File
@@ -0,0 +1,687 @@
#!/usr/bin/perl -w
# check_mailq - check to see how many messages are in the smtp queue awating
# transmittal.
#
# Initial version support sendmail's mailq command
# Support for mutiple sendmail queues (Carlos Canau)
# Support for qmail (Benjamin Schmid)
# License Information:
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301
# USA
#
############################################################################
use POSIX;
use strict;
use Getopt::Long;
use vars qw($opt_V $opt_h $opt_v $verbose $PROGNAME $opt_w $opt_c $opt_t $opt_s
$opt_M $mailq $status $state $msg $msg_q $msg_p $opt_W $opt_C $mailq @lines
%srcdomains %dstdomains);
use FindBin;
use lib "$FindBin::Bin";
use utils qw(%ERRORS &print_revision &support &usage );
my ($sudo);
sub print_help ();
sub print_usage ();
sub process_arguments ();
$ENV{'PATH'}='/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin';
$ENV{'BASH_ENV'}='';
$ENV{'ENV'}='';
$PROGNAME = "check_mailq";
$mailq = 'sendmail'; # default
$msg_q = 0 ;
$msg_p = 0 ;
$state = $ERRORS{'UNKNOWN'};
Getopt::Long::Configure('bundling');
$status = process_arguments();
if ($status){
print "ERROR: processing arguments\n";
exit $ERRORS{"UNKNOWN"};
}
if ($opt_s) {
if (defined $utils::PATH_TO_SUDO && -x $utils::PATH_TO_SUDO) {
$sudo = $utils::PATH_TO_SUDO;
} else {
print "ERROR: Cannot execute sudo\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
$sudo = "";
}
$SIG{'ALRM'} = sub {
print ("ERROR: timed out waiting for $utils::PATH_TO_MAILQ \n");
exit $ERRORS{"WARNING"};
};
alarm($opt_t);
# switch based on MTA
if ($mailq eq "sendmail") {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
# single queue empty
##/var/spool/mqueue is empty
# single queue: 1
## /var/spool/mqueue (1 request)
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
##h32E30p01763 2782 Wed Apr 2 15:03 <silvaATkpnqwest.pt>
## 8BITMIME
## <silvaATeunet.pt>
# multi queue empty
##/var/spool/mqueue/q0/df is empty
##/var/spool/mqueue/q1/df is empty
##/var/spool/mqueue/q2/df is empty
##/var/spool/mqueue/q3/df is empty
##/var/spool/mqueue/q4/df is empty
##/var/spool/mqueue/q5/df is empty
##/var/spool/mqueue/q6/df is empty
##/var/spool/mqueue/q7/df is empty
##/var/spool/mqueue/q8/df is empty
##/var/spool/mqueue/q9/df is empty
##/var/spool/mqueue/qA/df is empty
##/var/spool/mqueue/qB/df is empty
##/var/spool/mqueue/qC/df is empty
##/var/spool/mqueue/qD/df is empty
##/var/spool/mqueue/qE/df is empty
##/var/spool/mqueue/qF/df is empty
## Total Requests: 0
# multi queue: 1
##/var/spool/mqueue/q0/df is empty
##/var/spool/mqueue/q1/df is empty
##/var/spool/mqueue/q2/df is empty
## /var/spool/mqueue/q3/df (1 request)
##----Q-ID---- --Size-- -----Q-Time----- ------------Sender/Recipient------------
##h32De2f23534* 48 Wed Apr 2 14:40 nocol
## nouserATEUnet.pt
## canau
##/var/spool/mqueue/q4/df is empty
##/var/spool/mqueue/q5/df is empty
##/var/spool/mqueue/q6/df is empty
##/var/spool/mqueue/q7/df is empty
##/var/spool/mqueue/q8/df is empty
##/var/spool/mqueue/q9/df is empty
##/var/spool/mqueue/qA/df is empty
##/var/spool/mqueue/qB/df is empty
##/var/spool/mqueue/qC/df is empty
##/var/spool/mqueue/qD/df is empty
##/var/spool/mqueue/qE/df is empty
##/var/spool/mqueue/qF/df is empty
## Total Requests: 1
while (<MAILQ>) {
# match email addr on queue listing
if ( (/<.*@.*\.(\w+\.\w+)>/) || (/<.*@(\w+\.\w+)>/) ) {
my $domain = $1;
if (/^\w+/) {
print "$utils::PATH_TO_MAILQ = srcdomain = $domain \n" if $verbose ;
$srcdomains{$domain} ++;
}
next;
}
#
# ...
# sendmail considers a message with more than one destiny, say N, to the same MX
# to have N messages in queue.
# we will only consider one in this code
if (( /\s\(reply:\sread\serror\sfrom\s.*\.(\w+\.\w+)\.$/ ) || ( /\s\(reply:\sread\serror\sfrom\s(\w+\.\w+)\.$/ ) ||
( /\s\(timeout\swriting\smessage\sto\s.*\.(\w+\.\w+)\.:/ ) || ( /\s\(timeout\swriting\smessage\sto\s(\w+\.\w+)\.:/ ) ||
( /\s\(host\smap:\slookup\s\(.*\.(\w+\.\w+)\):/ ) || ( /\s\(host\smap:\slookup\s\((\w+\.\w+)\):/ ) ||
( /\s\(Deferred:\s.*\s.*\.(\w+\.\w+)\.\)/ ) || ( /\s\(Deferred:\s.*\s(\w+\.\w+)\.\)/ ) ) {
print "$utils::PATH_TO_MAILQ = dstdomain = $1 \n" if $verbose ;
$dstdomains{$1} ++;
}
if (/\s+\(I\/O\serror\)/) {
print "$utils::PATH_TO_MAILQ = dstdomain = UNKNOWN \n" if $verbose ;
$dstdomains{'UNKNOWN'} ++;
}
# Finally look at the overall queue length
#
if (/mqueue/) {
print "$utils::PATH_TO_MAILQ = $_ "if $verbose ;
if (/ \((\d+) request/) {
#
# single queue: first line
# multi queue: one for each queue. overwrite on multi queue below
$msg_q = $1 ;
}
} elsif (/^\s+Total\sRequests:\s(\d+)$/i) {
print "$utils::PATH_TO_MAILQ = $_ \n" if $verbose ;
#
# multi queue: last line
$msg_q = $1 ;
}
}
## close mailq
close (MAILQ);
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
## now check the queue length(s)
if ($msg_q == 0) {
$msg = "OK: $mailq mailq is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check for domain specific queue lengths if requested
if (defined $opt_W) {
# Apply threshold to queue lengths FROM domain
my @srckeys = sort { $srcdomains{$b} <=> $srcdomains{$a} } keys %srcdomains;
my $srcmaxkey = $srckeys[0];
print "src max is $srcmaxkey with $srcdomains{$srcmaxkey} messages\n" if $verbose;
if ($srcdomains{$srcmaxkey} >= $opt_W && $srcdomains{$srcmaxkey} < $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
} else {
$msg = "WARNING: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
}
} elsif ($srcdomains{$srcmaxkey} >= $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C)";
$state = $ERRORS{'CRITICAL'};
} elsif ($state == $ERRORS{'WARNING'}) {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold C = $opt_C) -and- " . $msg;
$msg =~ s/WARNING: //;
} elsif ($state == $ERRORS{'CRITICAL'}) {
$msg .= " -and- $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
} else {
$msg = "CRITICAL: $srcdomains{$srcmaxkey} messages in queue FROM $srcmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'CRITICAL'};
}
} else {
if ($srcdomains{$srcmaxkey} > 0) {
$msg .= " $srcdomains{$srcmaxkey} msgs. FROM $srcmaxkey is below threshold ($opt_W/$opt_C)";
}
}
# Apply threshold to queue lengths TO domain
my @dstkeys = sort { $dstdomains{$b} <=> $dstdomains{$a} } keys %dstdomains;
my $dstmaxkey = $dstkeys[0];
print "dst max is $dstmaxkey with $dstdomains{$dstmaxkey} messages\n" if $verbose;
if ($dstdomains{$dstmaxkey} >= $opt_W && $dstdomains{$dstmaxkey} < $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
} elsif (($state == $ERRORS{'WARNING'}) || ($state == $ERRORS{'CRITICAL'})){
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
} else {
$msg = "WARNING: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'WARNING'};
}
} elsif ($dstdomains{$dstmaxkey} >= $opt_C) {
if ($state == $ERRORS{'OK'}) {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C)";
$state = $ERRORS{'CRITICAL'};
} elsif ($state == $ERRORS{'WARNING'}) {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold C = $opt_C) -and- " . $msg;
$msg =~ s/WARNING: //;
} elsif ($state == $ERRORS{'CRITICAL'}) {
$msg .= " -and- $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
} else {
$msg = "CRITICAL: $dstdomains{$dstmaxkey} messages in queue TO $dstmaxkey (threshold W = $opt_W)";
$state = $ERRORS{'CRITICAL'};
}
} else {
if ($dstdomains{$dstmaxkey} > 0) {
$msg .= " $dstdomains{$dstmaxkey} msgs. TO $dstmaxkey is below threshold ($opt_W/$opt_C)";
}
}
} # End of queue length thresholds
}
} # end of ($mailq eq "sendmail")
elsif ( $mailq eq "postfix" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
@lines = reverse <MAILQ>;
# close qmail-qstat
close MAILQ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
# check queue length
if ($lines[0]=~/Kbytes in (\d+)/) {
$msg_q = $1 ;
}elsif ($lines[0]=~/Mail queue is empty/) {
$msg_q = 0;
}else{
print "Couldn't match $utils::PATH_TO_MAILQ output\n";
exit $ERRORS{'UNKNOWN'};
}
# check messages not processed
#if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
# my $msg_p = $1;
#}else{
# print "Couldn't match $utils::PATH_TO_MAILQ output\n";
# exit $ERRORS{'UNKNOWN'};
#}
# check queue length(s)
if ($msg_q == 0){
$msg = "OK: $mailq mailq reports queue is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
# are defined)
#if (defined $opt_W) {
# $msg .= "[Preprocessed = $msg_p]";
# if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
# $state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
# }elsif ($msg_p >= $opt_C ) {
# $state = $ERRORS{"CRITICAL"} ;
# }
#}
}
} # end of ($mailq eq "postfix")
elsif ( $mailq eq "qmail" ) {
# open qmail-qstat
if ( defined $utils::PATH_TO_QMAIL_QSTAT && -x $utils::PATH_TO_QMAIL_QSTAT ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_QMAIL_QSTAT | " ) ) {
print "ERROR: could not open $utils::PATH_TO_QMAIL_QSTAT \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_QMAIL_QSTAT){
unless (-x $utils::PATH_TO_QMAIL_QSTAT) {
print "ERROR: $utils::PATH_TO_QMAIL_QSTAT is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_QMAIL_QSTAT is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
@lines = <MAILQ>;
# close qmail-qstat
close MAILQ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
## shut off the alarm
alarm(0);
# check queue length
if ($lines[0]=~/^messages in queue: (\d+)/) {
$msg_q = $1 ;
}else{
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
exit $ERRORS{'UNKNOWN'};
}
# check messages not processed
if ($lines[1]=~/^messages in queue but not yet preprocessed: (\d+)/) {
my $msg_p = $1;
}else{
print "Couldn't match $utils::PATH_TO_QMAIL_QSTAT output\n";
exit $ERRORS{'UNKNOWN'};
}
# check queue length(s)
if ($msg_q == 0){
$msg = "OK: qmail-qstat reports queue is empty";
$state = $ERRORS{'OK'};
} else {
print "msg_q = $msg_q warn=$opt_w crit=$opt_c\n" if $verbose;
# overall queue length
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
# check messages not yet preprocessed (only compare is $opt_W and $opt_C
# are defined)
if (defined $opt_W) {
$msg .= "[Preprocessed = $msg_p]";
if ($msg_p >= $opt_W && $msg_p < $opt_C ) {
$state = $state == $ERRORS{"CRITICAL"} ? $ERRORS{"CRITICAL"} : $ERRORS{"WARNING"} ;
}elsif ($msg_p >= $opt_C ) {
$state = $ERRORS{"CRITICAL"} ;
}
}
}
} # end of ($mailq eq "qmail")
elsif ( $mailq eq "exim" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
#22m 1.7K 19aEEr-0007hx-Dy <> *** frozen ***
#root@exlixams.glups.fr
if (/\s[\w\d]{6}-[\w\d]{6}-[\w\d]{2}\s/) { # message id 19aEEr-0007hx-Dy
$msg_q++ ;
}
}
close(MAILQ) ;
if ( $? ) {
print "CRITICAL: Error code ".($?>>8)." returned from $utils::PATH_TO_MAILQ",$/;
exit $ERRORS{CRITICAL};
}
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "exim")
elsif ( $mailq eq "nullmailer" ) {
## open mailq
if ( defined $utils::PATH_TO_MAILQ && -x $utils::PATH_TO_MAILQ ) {
if (! open (MAILQ, "$sudo $utils::PATH_TO_MAILQ | " ) ) {
print "ERROR: could not open $utils::PATH_TO_MAILQ \n";
exit $ERRORS{'UNKNOWN'};
}
}elsif( defined $utils::PATH_TO_MAILQ){
unless (-x $utils::PATH_TO_MAILQ) {
print "ERROR: $utils::PATH_TO_MAILQ is not executable by (uid $>:gid($)))\n";
exit $ERRORS{'UNKNOWN'};
}
} else {
print "ERROR: \$utils::PATH_TO_MAILQ is not defined\n";
exit $ERRORS{'UNKNOWN'};
}
while (<MAILQ>) {
#2006-06-22 16:00:00 282 bytes
if (/^[1-9][0-9]*-[01][0-9]-[0-3][0-9]\s[0-2][0-9]\:[0-2][0-9]\:[0-2][0-9]\s{2}[0-9]+\sbytes$/) {
$msg_q++ ;
}
}
close(MAILQ) ;
if ($msg_q < $opt_w) {
$msg = "OK: $mailq mailq ($msg_q) is below threshold ($opt_w/$opt_c)";
$state = $ERRORS{'OK'};
}elsif ($msg_q >= $opt_w && $msg_q < $opt_c) {
$msg = "WARNING: $mailq mailq is $msg_q (threshold w = $opt_w)";
$state = $ERRORS{'WARNING'};
}else {
$msg = "CRITICAL: $mailq mailq is $msg_q (threshold c = $opt_c)";
$state = $ERRORS{'CRITICAL'};
}
} # end of ($mailq eq "nullmailer")
# Perfdata support
print "$msg|unsent=$msg_q;$opt_w;$opt_c;0\n";
exit $state;
#####################################
#### subs
sub process_arguments(){
GetOptions
("V" => \$opt_V, "version" => \$opt_V,
"v" => \$opt_v, "verbose" => \$opt_v,
"h" => \$opt_h, "help" => \$opt_h,
"M:s" => \$opt_M, "mailserver:s" => \$opt_M, # mailserver (default sendmail)
"w=i" => \$opt_w, "warning=i" => \$opt_w, # warning if above this number
"c=i" => \$opt_c, "critical=i" => \$opt_c, # critical if above this number
"t=i" => \$opt_t, "timeout=i" => \$opt_t,
"s" => \$opt_s, "sudo" => \$opt_s,
"W=i" => \$opt_W, # warning if above this number
"C=i" => \$opt_C, # critical if above this number
);
if ($opt_V) {
print_revision($PROGNAME,'2.3.1');
exit $ERRORS{'UNKNOWN'};
}
if ($opt_h) {
print_help();
exit $ERRORS{'UNKNOWN'};
}
if (defined $opt_v ){
$verbose = $opt_v;
}
unless (defined $opt_t) {
$opt_t = $utils::TIMEOUT ; # default timeout
}
unless ( defined $opt_w && defined $opt_c ) {
print_usage();
exit $ERRORS{'UNKNOWN'};
}
if ( $opt_w >= $opt_c) {
print "Warning (-w) cannot be greater than Critical (-c)!\n";
exit $ERRORS{'UNKNOWN'};
}
if (defined $opt_W && ! defined !$opt_C) {
print "Need -C if using -W\n";
exit $ERRORS{'UNKNOWN'};
}elsif(defined $opt_W && defined $opt_C) {
if ($opt_W >= $opt_C) {
print "Warning (-W) cannot be greater than Critical (-C)!\n";
exit $ERRORS{'UNKNOWN'};
}
}
if (defined $opt_M) {
if ($opt_M =~ /^(sendmail|qmail|postfix|exim|nullmailer)$/) {
$mailq = $opt_M ;
}elsif( $opt_M eq ''){
$mailq = 'sendmail';
}else{
print "-M: $opt_M is not supported\n";
exit $ERRORS{'UNKNOWN'};
}
}else{
if (defined $utils::PATH_TO_QMAIL_QSTAT
&& -x $utils::PATH_TO_QMAIL_QSTAT)
{
$mailq = 'qmail';
}
elsif (-d '/var/lib/postfix' || -d '/var/local/lib/postfix'
|| -e '/usr/sbin/postfix' || -e '/usr/local/sbin/postfix')
{
$mailq = 'postfix';
}
elsif (-d '/usr/lib/exim4' || -d '/usr/local/lib/exim4'
|| -e '/usr/sbin/exim' || -e '/usr/local/sbin/exim')
{
$mailq = 'exim';
}
elsif (-d '/usr/lib/nullmailer' || -d '/usr/local/lib/nullmailer'
|| -e '/usr/sbin/nullmailer-send'
|| -e '/usr/local/sbin/nullmailer-send')
{
$mailq = 'nullmailer';
}
else {
$mailq = 'sendmail';
}
}
return $ERRORS{'OK'};
}
sub print_usage () {
print "Usage: $PROGNAME -w <warn> -c <crit> [-W <warn>] [-C <crit>] [-M <MTA>] [-t <timeout>] [-s] [-v]\n";
}
sub print_help () {
print_revision($PROGNAME,'2.3.1');
print "Copyright (c) 2002 Subhendu Ghosh/Carlos Canau/Benjamin Schmid\n";
print "\n";
print_usage();
print "\n";
print " Checks the number of messages in the mail queue (supports multiple sendmail queues, qmail)\n";
print " Feedback/patches to support non-sendmail mailqueue welcome\n\n";
print "-w (--warning) = Min. number of messages in queue to generate warning\n";
print "-c (--critical) = Min. number of messages in queue to generate critical alert ( w < c )\n";
print "-W = Min. number of messages for same domain in queue to generate warning\n";
print "-C = Min. number of messages for same domain in queue to generate critical alert ( W < C )\n";
print "-t (--timeout) = Plugin timeout in seconds (default = $utils::TIMEOUT)\n";
print "-M (--mailserver) = [ sendmail | qmail | postfix | exim | nullmailer ] (default = autodetect)\n";
print "-s (--sudo) = Use sudo to call the mailq command\n";
print "-h (--help)\n";
print "-V (--version)\n";
print "-v (--verbose) = debugging output\n";
print "\n\n";
print "Note: -w and -c are required arguments. -W and -C are optional.\n";
print " -W and -C are applied to domains listed on the queues - both FROM and TO. (sendmail)\n";
print " -W and -C are applied message not yet preproccessed. (qmail)\n";
print " This plugin tries to autodetect which mailserver you are running,\n";
print " you can override the autodetection with -M.\n";
print " This plugin uses the system mailq command (sendmail) or qmail-stat (qmail)\n";
print " to look at the queues. Mailq can usually only be accessed by root or \n";
print " a TrustedUser. You will have to set appropriate permissions for the plugin to work.\n";
print "";
print "\n\n";
support();
}
roles/monitoring-client/tasks/main.yaml
+81
View File
@@ -0,0 +1,81 @@
- name: Update apt-get repo and cache
apt:
update_cache: yes
force_apt_get: yes
cache_valid_time: 3600
changed_when: False
- name: Install Dependencies
apt:
name:
- python3-nagiosplugin
- nagios-plugins-contrib
- git
state: present
- name: Clone Passive Monitoring
git:
repo: https://github.com/FAUSheppy/icinga-passive-checks-monitoring
dest: "/etc/monitoring/"
version: master
- name: Clone Monitoring Tools
git:
repo: https://github.com/FAUSheppy/monitoring-tools
dest: "/etc/monitoring-tools/"
version: master
- name: Copy send_nsca to /bin/
copy:
src: send_nsca
dest: /bin/send_nsca
mode: 0755
- name: Copy send nsca config
template:
src: send_nsca.cfg.j2
dest: /etc/send_nsca.cfg
mode: 0744
- name: Copy check_mailq
copy:
src: check_mailq
dest: /usr/lib/nagios/plugins/check_mailq
mode: 0755
- name: Copy systemd monitoring
copy:
src: pynagsystemd.py
dest: /bin/pynagsystemd.py
mode: 0755
- name: Check if PostgreSQL is installed
command: dpkg -s postgresql
register: postgresql_installed
ignore_errors: true
changed_when: false
failed_when: false
check_mode: no
- name: Set has_postgres variable
set_fact:
has_postgres: "{{ postgresql_installed.rc == 0 }}"
- name: Template Remote Monitoring Config
template:
src: monitoring.conf.j2
dest: /etc/monitoring.conf
owner: root
mode: 0644
- name: Add monitoring report cronjob
cron:
name: "monitoring"
job: "/etc/monitoring/monitoring-report.py -c /etc/monitoring.conf --nsca-bin /bin/send_nsca --nsca-config /etc/send_nsca.cfg"
- name: Install Prometheus Node Exporter
become: yes
import_role:
name: prometheus.prometheus.node_exporter
vars:
node_exporter_web_telemetry_path: "/node-exporter"
roles/monitoring-client/templates/monitoring.conf.j2
+10
View File
@@ -0,0 +1,10 @@
nobody disk-remote /usr/lib/nagios/plugins/check_disk -w 10% -c 5% -p /
nobody load-remote /usr/lib/nagios/plugins/check_load -w 5,3,2 -c 10,6,4
nobody procs-remote /usr/lib/nagios/plugins/check_procs
nobody systemd /etc/monitoring-tools/pynagsystemd.py
{% if checks %}
{% for entry in checks %}
{{ entry["user"] }} {{ entry["name"] }} {{ entry["cmd"] }}
{% endfor %}
{% endif %}
roles/monitoring-client/templates/send_nsca.cfg.j2
+5
View File
@@ -0,0 +1,5 @@
identity = {{ group_names[0] }}
password = {{ nsca_password }}
server = {{ nsca_server }}
port = 5668
tls_ciphers = "PSK-AES256-CBC-SHA"
roles/monitoring-influx/meta/main.yml
+2
View File
@@ -0,0 +1,2 @@
dependencies:
- global-handlers
roles/monitoring-influx/tasks/main.yaml
+45
View File
@@ -0,0 +1,45 @@
- name: Copy influx apt keyring
copy:
src: influx-repo.gpg
dest: /usr/share/keyrings/
mode: 0644
when: monitoring_master
- name: Add influx apt repo
copy:
src: influxdb.list
dest: /etc/apt/sources.list.d/
mode: 0644
when: monitoring_master
- name: Install influxdb
apt:
name: influxdb
state: present
when: monitoring_master
- name: Influxdb master server config
template:
src: influxdb.conf.j2
dest: /etc/influxdb/influxdb.conf
when: monitoring_master
notify:
- restart influxdb
- name: Create Influx collectd-db
shell: 'echo "CREATE DATABASE collectd;" | influx'
changed_when: False
when: monitoring_master
- name: Install collectd
apt:
name: collectd
install_recommends: false
state: present
- name: Collectd config
template:
src: collectd.conf.j2
dest: /etc/collectd/collectd.conf
notify:
- restart collectd
roles/monitoring-influx/templates/collectd.conf.j2
+34
View File
@@ -0,0 +1,34 @@
FQDNLookup true
LoadPlugin cpu
LoadPlugin df
LoadPlugin disk
LoadPlugin entropy
LoadPlugin interface
LoadPlugin irq
LoadPlugin load
LoadPlugin memory
LoadPlugin network
LoadPlugin processes
LoadPlugin swap
LoadPlugin users
LoadPlugin rrdtool
<Plugin df>
FSType rootfs
FSType sysfs
FSType proc
FSType devtmpfs
FSType devpts
FSType tmpfs
FSType fusectl
FSType cgroup
IgnoreSelected true
</Plugin>
<Plugin network>
Server "internal.monitoring.atlantishq.de" "25826"
</Plugin>
<Plugin rrdtool>
DataDir "/var/lib/collectd/rrd"
</Plugin>
<Include "/etc/collectd/collectd.conf.d">
Filter "*.conf"
</Include>
roles/monitoring-influx/templates/influxdb.conf.j2
+29
View File
@@ -0,0 +1,29 @@
[meta]
dir = "/var/lib/influxdb/meta"
[data]
dir = "/var/lib/influxdb/data"
wal-dir = "/var/lib/influxdb/wal"
[[collectd]]
enabled = true
bind-address = ":25826"
database = "collectd"
retention-policy = ""
# security-level = "none"
# auth-file = "/etc/collectd/auth_file"
batch-size = 5000
batch-pending = 10
batch-timeout = "10s"
read-buffer = 0
# Multi-value plugins can be handled two ways.
# "split" will parse and store the multi-value plugin data into separate measurements
# "join" will parse and store the multi-value plugin as a single multi-value measurement.
# "split" is the default behavior for backward compatability with previous versions of influxdb.
# parse-multivalue-plugin = "split"
roles/monitoring-master/files/icinga-nginx.conf
+32
View File
@@ -0,0 +1,32 @@
server {
listen 80;
listen 9080;
server_name icinga.atlantishq.de;
#auth_basic "ICINGA";
#auth_basic_user_file /etc/nginx/auth/stats_auth;
access_log /var/log/nginx/access-icinga.log;
error_log /var/log/nginx/error-icinga.log;
location = / {
return 302 https://icinga.atlantishq.de/icingaweb2;
}
##### ICINGA WEB #####
location ~ ^/icingaweb2/index\.php(.*)$ {
include fastcgi.conf;
include fastcgi_params;
# fastcgi_temp_path fastcgi;
fastcgi_pass unix:/etc/alternatives/php-fpm.sock;
fastcgi_index index.php;
# fastcgi_param SCRIPT_NAME /usr/share/icingaweb2/public/index.php;
fastcgi_param SCRIPT_FILENAME /usr/share/icingaweb2/public/index.php;
fastcgi_param ICINGAWEB_CONFIGDIR /etc/icingaweb2;
fastcgi_param REMOTE_USER $http_x_forwarded_preferred_username;
}
location ~ ^/icingaweb2(.+)? {
alias /usr/share/icingaweb2/public;
index index.php;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
}
}
roles/monitoring-master/files/michy-ese-server.conf
+52
View File
@@ -0,0 +1,52 @@
object Host "esports-erlangen.de" {
import "generic-host"
address = "esports-erlangen.de"
name = "esports-erlangen.de"
check_command = "hostalive4"
vars.linux = "true"
max_check_attempts = 5
retry_interval = 1m
vars.notification["mail"] = {
groups = ["ese"]
}
}
apply Service "dovecot-imap-tls-993" {
import "generic-service"
check_command = "ssl"
vars.host = host.address
vars.port = 993
assign where host.name == "esports-erlangen.de"
}
apply Service "postfix-smtp-25" {
import "generic-service"
check_command = "smtp"
vars.host = host.address
vars.protocol = "smtp"
vars.port = 25
assign where host.name == "esports-erlangen.de"
}
apply Service "postfix-smtp-starttls-25" {
import "generic-service"
check_command = "ssl"
vars.host = host.address
vars.protocol = "smtp"
vars.port = 25
assign where host.name == "esports-erlangen.de"
}
apply Service "website-http" {
import "generic-service"
check_command = "http"
vars.host = "www.esports-erlangen.de"
vars.ssl = true
assign where host.name == "esports-erlangen.de"
}

Some files were not shown because too many files have changed in this diff Show More